Login

Tag Archives: HackerOne

13 Dec 2024

Complaints About “AI Slop” Vulnerability Reports Ignore That Security Spending is Going to The Wrong Places

Despite billions and billions being spent on security, security remains bad. That applies to software in general and with WordPress plugins. Maybe more money needs to be spent, but it is more likely that the money is being spent on the wrong things. The latter issue applies when it comes to reviewing of the security of software and the handling of reporting security issues. But it keeps being ignored. The Register published a story this week by Thomas Claburn about “AI slop” vulnerability reports that involved AI generated claims of vulnerabilities that are not true. What the story didn’t address is why those are occurring. Here is one example included in the story:

As if to underscore the persistence of these concerns, a Curl project bug report posted on December 8 shows that nearly a year after maintainer Daniel Stenberg raised the issue, he’s still confronted by “AI slop” – and wasting his time arguing with a bug submitter who may be partially or entirely automated. [Read more]

5 Nov 2024

Mess Involving WordPress Partner HackerOne Highlights a Major Problem With Usage of Third-Party Bug Bounty Programs

Originally, bug bounty programs were helpful to improve security for a couple of reasons that had nothing to do with payouts for vulnerabilities. They provided a clear method to report security issues to developers and they signified that developers were going to address the issues instead of doing something like threatening a lawsuit. Then the security industry saw yet another way to make money, while making security worse. Security providers, including HackerOne, came along telling companies that they needed a bug bounty program and they should pay them to manage it. That led to an unnecessary third-party being involved in the process and having companies that were not interested in fixing issues seeming as if they did. The results haven’t been good.

One of the problems with this process, as we previously noted with the programs from WordPress and Automattic, which are handled by HackerOne, is that they create a situation where there isn’t a method to report many security issues. This is something we have tried to address with WordPress, with no success. [Read more]