Open source project curl is sick of users submitting “AI slop” vulnerabilities https://arstechni.ca/LAhpm #vulnerabilities #bugreports #hackerone #security #Tech #curl #AI
The image is a screenshot of a post from "Daniel Stenberg, curl CEO. Code Emitting Organism" with a timestamp of "16h", showing that it was edited:
That's it. I've had it. I'm putting my foot down on this craziness.
1. Every reporter submitting security reports on #Hackerone for #curl now needs to answer this question:
"Did you use an Al to find the problem or generate this submission?"
(continued in next post)
I mentioned the #hackerone AI slop thing on #LinkedIn
Why does the #AISlop problem exist at #hackerone (and likely other bug bounty platforms)?
Because apparently it works: https://hackerone.com/evilginx/hacktivity?type=user
It seems that some projects pay bounties for such AI Slop reports.
While I can't be 100% sure, we (#curl) count 8 "AI slop" #hackerone submissions so far, which also makes it roughly 8% of the submissions over the last year as we get around 100 submissions per year right now. It makes it roughly as common as we get legitimate security problems reported.
Round two in our fun game: "slop or not?"
(In here, the report is a rewrite of our previous published CVE in a way that I strongly suspect was done by an AI.)
@bagder Good. This is a real problem and if they don't address it, it may end up hurting them in the end. If #Hackerone is just full of AI "researches" posting endless AI slop reports, their clients will move on.
@bagder "it rather seems that AI slop now can help lazy incompetent researchers trick the system."
Any AI slop should result in immediate ban or zeroing of the reputation.
Will we see something like this from #Hackerone? Considering their weird affection with AI I'm not expecting much to happen. As long as the quantity is the measuring stick rather than quality, nothing will happen.
Here's a link to today's AI slop #curl #hackerone report. Freshly disclosed: https://hackerone.com/reports/2887487
Marking them as spam now. #curl #hackerone (AI slop as "security vulnerability reports")
Also #hackerone: please STOP pushing your silly AI features to me. I don't care.
Did you know that #ONLYOFFICE has a bug bounty program on #HackerOne? 
HackerOne is a cybersecurity platform designed to help companies in various industries find and eliminate vulnerabilities and bugs.
The ONLYOFFICE programme on HackerOne allows ethical hackers to report bugs and vulnerabilities and get rewarded.
More information: https://www.onlyoffice.com/blog/2023/08/onlyoffice-hackerone-program-summer-23-updates
#Discord told me on #HackerOne that this isn't a security #vulnerability, so cool, I'll talk about it publicly.
You can disable 2FA¹ on another person's account if you get access to their phone momentarily.
All you have to do is create a new account and put their phone number in as the login; if you verify the code, it strips it from the other account with no warning, and they can't take it back.
So have fun I guess?
¹ SMS is not #2FA
Kolejny krytyczny błąd załatany w GitLabie
Po dwóch miesiącach od poprzednich problemów, które opisywaliśmy, GitLab wydał kolejne poprawione wersje, zarówno Community Edition, jak i Enterprise Edition, oznaczone numerami 17.3.2, 17.2.5 oraz 17.1.7. Podobnie jak poprzednio, najpoważniejszy błąd, oznaczony symbolem CVE-2024-6678, pozwala – w pewnych okolicznościach, które nie zostały sprecyzowane w ogłoszeniu na stronie GitLab – na zdalne wykonanie...
#WBiegu #Cve #Gitlab #Hackerone #Podatności #Websec
https://sekurak.pl/kolejny-krytyczny-blad-zalatany-w-gitlabie/
The original #hackerone report for #curl's CVE-2024-7264: ASN.1 date parser overread is now published:
Just a reminder: with those bug bounty platforms like Bugcrowd, HackerOne or whatever, as a security researcher you are not their customer, you are the product.
If there is a conflict they will tend to side with their customer, meaning the company running the bug bounty program. Good luck proving that you have a right to disclose that vulnerability. They will pressure you into not disclosing as long as the company is opposed. So if you still want to decide anything it’s better not to grow too attached to that account because it will be used as leverage against you.
And they will try very hard to filter reports before these reach the company. If your report is more difficult to understand than the typical report for this program – good luck reaching the company, you’ll need it. It’s very likely that your report will be closed as “out of scope” with all appeals falling on deaf ears. The bug bounty platforms are paid for filtering, not for letting reports through just because they have doubts about them. You might need to think about other ways to reach the people actually in charge.
it has been nearly three months since the last valid #hackerone report against #curl
Just saying.
I bet you can't find anything to report.
#curl project is so effective in resolving reports they've broken #Hackerone https://hackerone.com/curl/policy_scopes
@FrankGevaerts In this case I opted for replacing a root executed binary with a script that injects ssh pubkey to /root/.ssh/authorized_keys and then executes the real binary - this should be quite self-explanatory as the attacker can now just ssh as root. I also wanted to keep this as simple as possible to avoid 4th day of explaining basic concepts to #hackerone analyst. #exploit #ExploitDevelopment
The #HackerOne saga continues: Now the analyst fails to understand how overwriting arbitrary root owned files is a privilege escalation to root.
I think I might need to request Mediation.
'/%3e%3cpath%20d='M50.3943%2022.237V39.5876H43.5185V22.7481C43.5185%2019.2029%2042.0411%2017.3949%2039.036%2017.3949C35.7325%2017.3949%2034.0778%2019.5338%2034.0778%2023.7585V32.9759H27.2434V23.7585C27.2434%2019.5338%2025.5857%2017.3949%2022.2822%2017.3949C19.2949%2017.3949%2017.8027%2019.2029%2017.8027%2022.7481V39.5876H10.9298V22.237C10.9298%2018.6918%2011.835%2015.8754%2013.6453%2013.7877C15.5128%2011.7049%2017.9623%2010.6355%2021.0028%2010.6355C24.522%2010.6355%2027.1813%2011.9885%2028.9542%2014.6917L30.665%2017.5633L32.3788%2014.6917C34.1517%2011.9885%2036.811%2010.6355%2040.3243%2010.6355C43.3619%2010.6355%2045.8114%2011.7049%2047.6847%2013.7877C49.4931%2015.8734%2050.3963%2018.6899%2050.3943%2022.237Z'%20fill='white'/%3e%3cdefs%3e%3clinearGradient%20id='paint0_linear_89_8'%20x1='30.5'%20y1='0'%20x2='30.5'%20y2='65'%20gradientUnits='userSpaceOnUse'%3e%3cstop%20stop-color='%236364FF'/%3e%3cstop%20offset='1'%20stop-color='%23563ACC'/%3e%3c/linearGradient%3e%3c/defs%3e%3c/svg%3e)
