On the morning of the 13th day of the year we have received *checks notes* 13 #curl vulnerability reports on Hackerone this year.
None a confirmed vulnerability.
Discussion
Loading...
@bagder How many credible reports from that source?
If the ratio is too bad, I would consider to simply ignore reports from trash sources. Not worth the effort.
I suppose the upside is that lots of people are scrutinizing and try really hard to poke holes.
Ironically, we have also received complaints from people who get annoyed when we disclose so many rubbish reports on Hackerone...
@bagder shooting the messenger is ever the easy option
@bagder
> it clogs hacktivity for people wanting to read good disclosures
I don't user hackerone but I'd imagine there are filters in the UI to hide these?
@bagder thank you for doing this and being vocal about it. The many-eyes principle does not work if some of the 'eyes' are crying wolf.
and of course some of the people I ridicule, ban and expose in these reports come back to me all up in arms about them being completely innocent and they did not know and now I have ruined their professional lives because their cool hacker aliases are now tainted.
@bagder If they don't check their AI slop before posting, it's up to them to take the (rightful) beating for it.
No mercy.
@bagder 🎻 – pity there isn’t an emoji with an even smaller one.
@bagder they were happy enough thinking that they would boost their reputation by finding a vulnerability in curl...
@bagder huh??? Doesn't curl policy explicitly mention that the use of AI must be disclosed? Is it not entirely their own fault that they always miss this part?
@bagder Very sad indeed.
But we *do* let reports through if the hacker alias is really cool. Which, in these cases, they really weren‘t. 🔥💁🏻♂️
@bagder Cue one of Steve Burke's "AI AI AI AI AI" montages from CES or such.