The onslaught includes LLMs finding bogus vulnerabilities and code that won't compile.
See full article...
See full article...
Overrun with AI slop, cURL scraps bug bounties to ensure “intact mental health”
- Thread starter JournalBot
- Start date
Upvote
77
(78
/
-1)
My people. You who have been wronged and beset by the horrors of an expanding slopverse…arise and unleash Hell!
Tarpits for AI (Ars Article)
Tarpits for AI (Ars Article)
Upvote
39
(52
/
-13)
Don't think that really applies here. This is people downloading the source code for cURL and then running AI agents on that. Then they get the result from it and blindly stick it in a reporting form to try to win a bounty.
From the article:
Upvote
186
(186
/
0)
I was more referring to the general strategy of going on the offensive against the slopverse. I like defensive measures as much as anyone, but I’m increasingly of the mind that the well must be poisoned as close to the source of this behavior as possible.
In other words, the agents themselves or, even better, the manner used for data collection.
Upvote
54
(57
/
-3)
I wonder if people doing this manage to create enough valid reports for it to be worth it (to them), or if it's just an endless stream of new people trying it with zero success.
Upvote
95
(96
/
-1)
The people who just ask blindly put code into an AI code scanner will also be the same people who ask the AI to create a proof of concept attack and then never test it.
Maybe a $5 submission fee could prevent these zero effort reports.
Upvote
313
(313
/
0)
If you aggregated the impact of LLMs, I would bet heavily that the net effect on total human productivity is negative. Certainly there are positive areas, unfortunately drowned in the time suck that is 'slop'.
Upvote
155
(157
/
-2)
Upvote
99
(99
/
0)
Think of all the power company workers employed, and their poor children if moronic AI scrapers get stopped. /S
Upvote
48
(49
/
-1)
$5 might be too little considering how time consuming a bug report review can be. Make it $50. But then cURL team has to start doing taxes and whatnot
Upvote
86
(89
/
-3)
ubercurmudgeon
Ars Tribunus Militum
The implicit answer to the question "Why can't we have nice things?" has always been human nature. Thanks to Big Tech, we're automating even that role. Although ultimately, the answer won't change.
Upvote
81
(83
/
-2)
It only needs to be high enough that filling stupid bounties isn't profitable for the submitter.
Upvote
92
(93
/
-1)
Just picked up Snow Crash on my Everand (non Amazon) reader.Something, something Torment Nexus….
Upvote
-11
(7
/
-18)
Because it's a whole lot easier, and probably safer, to just not take bug reports. Why should the dev team spend it's time cleaning up someone else's mess?
Upvote
135
(138
/
-3)
Interesting. One recalls some debates last century about low quality (alleged) programmers that would edit Linux kernel files - by removing trailing spaces. Then they could be listed as a kernel developer, even if they literally weren't capable of writing a kernel worthy function
Life goes on, and low quality people are going to still do the same old BS. Somewhat like Vapor Valor(tm)
Life goes on, and low quality people are going to still do the same old BS. Somewhat like Vapor Valor(tm)
Upvote
63
(63
/
0)
Make them put a 10% fee in escrow, they get it back if it proves to be real even if it isn't a vulnerability that requires a fix.
Upvote
35
(36
/
-1)
I've published CVEs found by AI tools and also had to handle the deluge of "beg bounties" that come in to the report inbox. In the right hands, the right AI tools can do some interesting things. I suspect they'll get better, which is great if used responsibly and not maliciously, which I'm sure is already happening.
But my god. The shit that comes in. The number of poor-quality reports that amount to "I don't understand computers, now give me $50" is insane. cURL is a much more well-known tool and even with a company dedicated to bug bounties it's clear a lot of slop is making it into the queue, which is unsustainable. Triaging reported vulnerabilities is expensive, adding up all the human time spent on reading, reviewing, testing, responding... it's a lot. When an AI slop cannon gets pointed at you, there goes multiple person-weeks of productivity trying to make sure real issues aren't missed. And honestly, the pushiness of some of these "researchers" is really off-putting. When you spend hours emailing back-and-forth attempting to educate a researcher than they don't actually understand how DNS works, and they come back with "Well, are you going to pay me anyway?" it's like... no! I should invoice you for the time spent teaching you!
Anyway. This is a completely understandable move from Stenberg. cURL appears to be a well-run program and I suspect will continue to handle credible security reports, which is great, considering how much of the world runs on that binary. Hopefully removing the bug bounty program removes the financial incentive that is drowning the core team.
And since I want to also give improvements, and not just join in on the AI-bashing, but running a private invite-only bug bounty program with monetary rewards has worked well for some organizations. The people who get those invites care about their reputation and don't submit slop.
But my god. The shit that comes in. The number of poor-quality reports that amount to "I don't understand computers, now give me $50" is insane. cURL is a much more well-known tool and even with a company dedicated to bug bounties it's clear a lot of slop is making it into the queue, which is unsustainable. Triaging reported vulnerabilities is expensive, adding up all the human time spent on reading, reviewing, testing, responding... it's a lot. When an AI slop cannon gets pointed at you, there goes multiple person-weeks of productivity trying to make sure real issues aren't missed. And honestly, the pushiness of some of these "researchers" is really off-putting. When you spend hours emailing back-and-forth attempting to educate a researcher than they don't actually understand how DNS works, and they come back with "Well, are you going to pay me anyway?" it's like... no! I should invoice you for the time spent teaching you!
Anyway. This is a completely understandable move from Stenberg. cURL appears to be a well-run program and I suspect will continue to handle credible security reports, which is great, considering how much of the world runs on that binary. Hopefully removing the bug bounty program removes the financial incentive that is drowning the core team.
And since I want to also give improvements, and not just join in on the AI-bashing, but running a private invite-only bug bounty program with monetary rewards has worked well for some organizations. The people who get those invites care about their reputation and don't submit slop.
Upvote
186
(186
/
0)
No, those bug reports typically include a "proof-of-concept" attack, but the attack itself is also AI-slop. Just watch this video and you'll see exactly why your idea doesn't work:
View: https://www.youtube.com/watch?v=8w6r4MKSe4I
Upvote
68
(69
/
-1)
theres a real risk of burnout for the maintainers it's not as though the majority are paid to handle such important pieces of the modern world. Automatic tools are great when wielded by those who know how to use them but that's not what we're dealing with here. This is the lowest of the low trying to game the system. Nothing good comes from the overworked underpaid maintainers of critical systems being bombarded by people without a clue. At least before LLMs they had to make some effort to spam bug bounties.
Upvote
62
(62
/
0)
Or a more crude way to put it... if you keep shitting on my lawn I'm not hiring someone to go around cleaning it up, I'm just putting up a fence.
Upvote
131
(131
/
0)
It’s 100% profit for them to “spray and pray.” It requires zero effort or time from them and costs everyone else dearly. Other jackasses see that and imitate that behavior.
Upvote
82
(83
/
-1)
I work for one of the large tech companies and can second the number of bogus reports we're getting is through the roof. The most egregious one I recall was an "attack vector proof of concept 9.8+" that was actually just a feature outlined in our public documentation.
Upvote
88
(88
/
0)
Honestly this seems like a good idea. The revenue raised should go into the pot used to pay out for genuine vulnerabilities.
Upvote
32
(32
/
0)
Upvote
45
(45
/
0)
The last is a big problem. Once you're taking income it gets a whole lot harder to manage things legally.
Upvote
32
(34
/
-2)
Mr. Stenberg is one of the engineers I look up to in the field of software engineering. It saddens me to see his time was wasted with bullshit. I fully respect his decision to just end completely. For his own good and the good of his project.
Upvote
65
(65
/
0)
Chai T. Rex
Wise, Aged Ars Veteran
People who submit 20 false AI-generated vulnerability reports might also think that an AI can give good, free advice on a lawsuit to get back their $1,000.
Upvote
47
(48
/
-1)
Upvote
48
(48
/
0)
The bug bounty contractor isn't the SME on the source code base, so they can't readily separate wheat from chaff
And they may collect the money but its still involved with their client somewhere along the line who has some accounting to do. Unless it becomes a profit centre for them instead of the client, which is a hell of a negative incentive for them to collect genuine bugs.
Upvote
23
(23
/
0)