"A lot of #HackerOne notifications that we're getting, are #AI generated garbage" says the director of #OpenSource @mghaught from @rubygems / @rubycentral at @balticruby.
#balticruby2025 #BalticRuby #rubygems #ruby #rubylang #artificialintelligence #riga #foss #opensourcesoftware #LLM #LLMs #security
HackerOne Bug Bounty Disclosure: path-traversal-vulnerability-in-lila-project-immm - https://www.redpacketsecurity.com/hackerone-bugbounty-disclosure-path-traversal-vulnerability-in-lila-project-immm/
HackerOne Bug Bounty Disclosure: idor-vulnerability-at-addtagtoassets-operation-name-root-geek - https://www.redpacketsecurity.com/hackerone-bugbounty-disclosure-idor-vulnerability-at-addtagtoassets-operation-name-root-geek/
If you have followed the rant of @bagder (the maintainer of #curl) about #AI generated reports on #hackerone (https://www.linkedin.com/posts/danielstenberg_hackerone-curl-activity-7324820893862363136-glb1/) and you agree with him, this discussion on #GitHub might be for you https://github.com/orgs/community/discussions/159749
The #FOSS world might get flooded even more with #Copilot generated issues and PRs. All powered by GitHub
HackerOne Bug Bounty Disclosure: -xenoblade-chronicles-x-definitive-edition-improper-validation-of-names-allows-injecting-formatting-tags-and-bypassing-profanity-filter-roccodev - https://www.redpacketsecurity.com/hackerone-bugbounty-disclosure-xenoblade-chronicles-x-definitive-edition-improper-validation-of-names-allows-injecting-formatting-tags-and-bypassing-profanity-filter-roccodev/
HackerOne Bug Bounty Disclosure: weak-rate-limiting-controls-in-the-login-page-expose-system-to-brute-force-and-dos-attacks-hajjaj - https://www.redpacketsecurity.com/hackerone-bugbounty-disclosure-weak-rate-limiting-controls-in-the-login-page-expose-system-to-brute-force-and-dos-attacks-hajjaj/
HackerOne Bug Bounty Disclosure: corrupted-pointer-in-node-fs-readfileutf-const-functioncallbackinfo-value-args-when-args-is-a-string-justinnietzel - https://www.redpacketsecurity.com/hackerone-bugbounty-disclosure-corrupted-pointer-in-node-fs-readfileutf-const-functioncallbackinfo-value-args-when-args-is-a-string-justinnietzel/
HackerOne Bug Bounty Disclosure: -xenoblade-chronicles-x-definitive-edition-unrestricted-rpcs-allow-dos-and-writing-arbitrary-flags-remotely-roccodev - https://www.redpacketsecurity.com/hackerone-bugbounty-disclosure-xenoblade-chronicles-x-definitive-edition-unrestricted-rpcs-allow-dos-and-writing-arbitrary-flags-remotely-roccodev/
HackerOne Bug Bounty Disclosure: open-redirect-vulnerability-in-oauth-flow-leading-to-potential-phishing-attack-delsec - https://www.redpacketsecurity.com/hackerone-bugbounty-disclosure-open-redirect-vulnerability-in-oauth-flow-leading-to-potential-phishing-attack-delsec/
HackerOne Bug Bounty Disclosure: bedrock-guardrails-evasion-with-prompt-formatting-nkirk-nrlabs - https://www.redpacketsecurity.com/hackerone-bugbounty-disclosure-bedrock-guardrails-evasion-with-prompt-formatting-nkirk-nrlabs/
❓ How can bug bounty programs …
1️⃣ Keep hackers engaged in the long term?
2️⃣ Effectively increase the amount of good quality reports that you receive?
3️⃣ Stand out from competition and be the program that hackers choose to hack on?
📽️ In this video, I covered 5 tips that can allow any bug bounty programs to stand out from the rest. If you implement them, you can expect an increased participation from skilled and good hackers (or security researchers) and a consistent stream of valuable vulnerability submissions! Most importantly, are you ready to handle the resulting high quality reports? 😊
🫵 Hackers, if these tips hit the mark, please share them with your favourite bug bounty programs! Your input could lead to improvements like loyalty programs and direct report submissions (skip platform analysts or triage teams). Let's level up the bug bounty landscape together! 😎
⬇️⬇️⬇️
#bugbounty #bugbountytips #togetherwehitharder #hackerone #ittakesacrowd #outhackthemall #bugcrowd #bugcrowdtipjar #hackwithintigriti #intigriti #yeswehack #yeswerhackers #ethicalhacking #whitehat
Open source project curl is sick of users submitting “AI slop” vulnerabilities https://arstechni.ca/LAhpm #vulnerabilities #bugreports #hackerone #security #Tech #curl #AI
The image is a screenshot of a post from "Daniel Stenberg, curl CEO. Code Emitting Organism" with a timestamp of "16h", showing that it was edited:
That's it. I've had it. I'm putting my foot down on this craziness.
1. Every reporter submitting security reports on #Hackerone for #curl now needs to answer this question:
"Did you use an Al to find the problem or generate this submission?"
(continued in next post)
Why does the #AISlop problem exist at #hackerone (and likely other bug bounty platforms)?
Because apparently it works: https://hackerone.com/evilginx/hacktivity?type=user
It seems that some projects pay bounties for such AI Slop reports.
HackerOne Bug Bounty Disclosure: -names-nsf-and-all-names-files-route-to-public-api-on-rubygems-org-jagat-singh - https://www.redpacketsecurity.com/hackerone-bugbounty-disclosure-names-nsf-and-all-names-files-route-to-public-api-on-rubygems-org-jagat-singh/
HackerOne Bug Bounty Disclosure: -csv-injection-in-shared-passwords-leads-to-complete-private-vault-exfiltration-stomper - https://www.redpacketsecurity.com/hackerone-bugbounty-disclosure-csv-injection-in-shared-passwords-leads-to-complete-private-vault-exfiltration-stomper/
HackerOne Bug Bounty Disclosure: -click-cross-site-scripting-via-custom-configuration-in-safelistsanitizer-leonsirio - https://www.redpacketsecurity.com/hackerone-bugbounty-disclosure-click-cross-site-scripting-via-custom-configuration-in-safelistsanitizer-leonsirio/
HackerOne Bug Bounty Disclosure: disclosure-of-git-metadata-and-springboot-actuator-information-jf-x-r - https://www.redpacketsecurity.com/hackerone-bugbounty-disclosure-disclosure-of-git-metadata-and-springboot-actuator-information-jf-x-r/
