I have previously blogged about the relatively new trend of AI slop in vulnerability reports submitted to curl and how it hurts and exhausts us. This trend does not seem to slow down. On the contrary, it seems that we have recently not only received more AI slop but also more human slop. The latter … Continue reading Death by a thousand slops →
Hindsight bias. This is from 2023. It’s obvious now. If it still was this easy to spot they wouldn’t have closed the bug bounty program.
It was volume that was more the issue with the bug bounty program.
They were flooded, and recognising it is all well and good, but not if there’s no good way to filter it out, not without massive collateral.
I encourage you to read some threads linked at the bottom of the article. The AI spammers have become way less obvious, one even has video. The team still checks every issue.
Right, but the volume was the issue. The cURL team could only work through and verify them so quickly, so the deluge of bug reports just made it impractical for them to dedicate time to sort through it. The idea in getting rid of the bug bounty being that there would be less of an incentive to generate and write a bogus bug report.
If it was just a small handful of fake security reports, they wouldn’t have minded nearly as much.
Uhu, and if it was still as obvious as in 2023 they could have made a filter by now… Which is why I called hindsight bias. But AI improved with being more convincing, that’s the actual problem, not volume. Imagine if AI actually got more correct, they would also have a higher volume of reports. Maybe not that much but ones they’d actually have to spend time to fix.