AI vulnerability/bug founds and reports is a huge problem. Curl has banned the use of AI-generated submissions via HackerOne because none of it made any sense, and is a waste of resources and time. "We are effectively being DDoSed. If we could, we would charge them for this waste of our time" https://hackerone.com/reports/3125832
@LukaszOlejnik If I click on the reporter's username, there is a list of "closed bugs" together with dollar amounts. Is this money paid out?
If so, the slop is profitable, so it won't go away.
@loke @LukaszOlejnik You've heard of beg bounty, maybe the next thing is microbegging. As long as it's cheap to submit plausible-sounding bugs, people will do so in the hope that one in a hundred will pay a hundred bucks to make the reporter just quietly piss off.
I say report them as spam, and block them, if the program has that option.
@ftp_alun @LukaszOlejnik Seems like it. Since it's basically free to send out an uncountable number of reports, there is no limit to the number of reports you can send. On the receiving end, there's a lot of work though, but that's not their problem.
@loke @ftp_alun @LukaszOlejnik There should be a cost to have more than a small number of outstanding reports, non refundable if any of them are found to be fraudulent.
@dalias @ftp_alun @LukaszOlejnik That's a pretty good idea. How many actual issues would a decent analyst find in a month? 10? I think something as low as 1€ per submission would likely fix the problem.
Hopefully when someone with as much clout as @bagder raises this as an issue, someone might notice? Surely the companies paying out the bounties to the fraudsters would like to, you know, not do that.
@ftp_alun @loke @LukaszOlejnik Maybe "prompt to earn" is the new "play to earn" since the latter turned out to be a lie.
@loke @LukaszOlejnik bingo. I’d be very surprised if the paid out reports were legit. Smells like fraud to me!