AI slop security reports submitted to curl (gist.github.com)

submitted 5 days ago by [email protected] to c/[email protected]

3 comments fedilink hide all child comments

top 3 comments

sorted by: hot top new old

[-] [email protected] 2 points 4 days ago

I thought its a fucking AI company doing it. Nope. People posting curl source into an LLM then posting reviewers responses into the LLM. Why?

[-] [email protected] 3 points 4 days ago

https://infosec.exchange/@harrysintonen/114455549143577092

Why does the #AISlop problem exist at #hackerone (and likely other bug bounty platforms)?

Because apparently it works: https://hackerone.com/evilginx/hacktivity?type=user

It seems that some projects pay bounties for such AI Slop reports.

This thing works by generating fake vulnerability reports. Here are some of the qualities of the HackerOne report 3125832 sent to #curl:

It looks convincing at a glance, especially if you're not a subject matter expert.

It's vague about actual repro steps. It makes it impossible for the victim project to reproduce the issue. For example, it makes up fake patches against non-existent, imaginary code.

It refers to functions and methods that do not exist (in case someone tries to look for them). When confronted, the attacker refer to some old or new versions of components, using non-existent commit hashes.

The report makes up some convincing functionality or names that are novel, but don't really exist.

An expert’s look at the report shows the number of discrepancies, but finding them takes time and effort. It requires attention from a subject matter expert, with limited resources.

The real exploit here is that the attacker (evilginx) exploits the fact that the victims (the orgs who paid the attacker money) don't have the capacity to perform thorough analysis and rather just pay up. TL;DR: It's cheaper to pay the bug bounty than hire an expert to perform true analysis.

Why didn't it work against the curl project? The attacker miscalculated badly. Curl project is not a company and has far greater capability in security response than your average org. Also they can smell #aislop miles away.

It's only going to get worse from here. This could easily kill the whole concept of #bugbounties. Why?

Genuine researches quit in frustration as they don't get proper reward for their hard work, and see #aislop scoop the money.

Orgs/projects abandon bug bounty programs since they get mostly AI Slop reports.

Financial backing (as donations or investment) for bug bounty programs disappears as the money is paid to scammers.

[-] [email protected] 1 points 4 days ago

A quick buck ruins everyones lives, again.

this post was submitted on 29 Jun 2025

29 points (100.0% liked)

Technology

214 readers

58 users here now

Share interesting Technology news and links.

Rules:

No paywalled sites at all.
News articles has to be recent, not older than 2 weeks (14 days).
No videos.
Post only direct links.

To encourage more original sources and keep this space commercial free as much as I could, the following websites are Blacklisted:

Al Jazeera.
NBC.
CNBC.
NY Magazine.
Substack.
Tom's Hardware.
ZDNet.
TechSpot.
Ars Technica.
Vox Media outlets, with exception for Axios(Due to being ad free.)
Engadget.
TechCrunch.
Gizmodo.
Futurism.
PCWorld.
ComputerWorld.
Mashable.

More sites will be added to the blacklist as needed.

Encouraged:

Archive links in the body of the post.
Linking to the direct source, instead of linking to an article talking about the source.

founded 1 month ago

MODERATORS

[email protected]