daniel:// stenberg://22h ago

If your Open Source project sees a steep increase in number of high quality security reports (mostly done with AI) right now (#curl, Linux kernel, glibc confirmed) please tell me the name of this project.

(I'd like to make a little list for my coming talk on this.)

Show threaddaniel:// stenberg://21h ago

Apache httpd, curl, Django, Firefox, glibc, GnuTLS, Haproxy, libssh, Linux kernel, python, Temporal, Wireshark, wolfSSL

More?

Show threadHoward Chu @ Symas19h ago

@bagder OpenLDAP is seeing more AI-assisted bug reports that claim to be security issues, but aren't.

E.g., calling a crash in a commandline tool a DoS (no, it's not a service).

Show threaddaniel:// stenberg://18h ago
@hyc yeps, the tools still have a hard time to distinguish between bugs and security reports but at least they are nowadays often accurately identifying real flaws, even if not vulnerabilities
Show threadHoward Chu @ Symas18h ago

@bagder the other one we see is calling assert failures crashes. It's not a SEGV, there's no possibility of data exfiltration or RCE. There's no security exposure, it's just a bug. One that was anticipated hypothetically by the original developer, but whose final disposition wasn't decided upon way back when.

E.g. /* can this even happen? */

They toss in an assert, and it lives quietly in the code for decades before someone definitively shows yes, it can happen...

Show threaddaniel:// stenberg://
@hyc sure, but to me that goes into the gray area category where we always argue with reporters: what's a security problem and what is not. Debates done since the dawn of time. AI tools or not.
Apr 7 at 10:57amWeb