fosstodon.org is one of the many independent Mastodon servers you can use to participate in the fediverse.
Fosstodon is an invite only Mastodon instance that is open to those who are interested in technology; particularly free & open source software. If you wish to join, contact us for an invite.

Administered by:

Server stats:

11K
active users

Seth Larson

There was already suspicion that LLMs generated a large batch of bogus CVEs not long ago. I suspect that CVE-2023-38898 which targeted and wasn't reported to the Python Security Response Team was a part of that batch.

Now curl gets explicit proof that "security researchers" are submitting reports direct from an LLM without any double-checking. As if handling vulnerabilities wasn't hard enough for maintainers! 😡

hackerone.com/reports/2199174

HackerOnecurl disclosed on HackerOne: [Critical] Curl CVE-2023-38545...## Summary: Curl CVE-2023-38545 vulnerability code changes are disclosed on the internet ## Steps To Reproduce: To replicate the issue, I have searched in the Bard about this vulnerability. It disclosed what this vulnerability is about, code changes made for this fix, who made these changes, commit details etc even though this information is not released yet on the internet. In addition to it,...

@sethmlarson We should have "researchers" put down a deposit and they get it back if that is a credible research and not AI hallucination.

@sethmlarson

I have searched in the Bard about this vulnerability

Are people really calling it "the Bard" now? :blobfoxmeltsob:

@sethmlarson if this isn’t a malicious attempt to defraud bug bounty programs, then it shows an incredible degree of ignorance about the basics of how LLMs work and how security works