AI-generated bug reports are seriously annoying for developers Generative AI models like Google Bard and GitHub Copilot have a user problem: Those who rely on software assistance may not understand or care about the limitations of these machine learning tools. This has come up in various industries. Lawyers have been sanctioned for citing cases invented by chatbots in their legal filings …
This post has been deleted by its author
It's not clear to me that it is efficient. Socket could argue it's "effective" based on outcome: they do identify a lot of malicious packages.
It might be efficient if the model is more effective at the initial screening than humans are. Even with a high false-positive rate, if the model narrows the search space for malware in the packages under examination by, say, a couple of orders of magnitude, that might well mean a net gain over not using the model.
Again, we don't have enough evidence to assign a probability to that. We just have Socket's word on it.
Refund the fee if, in the opinion of the developer, the report was written in good faith by a human (even if it turns out not to be a bug).
Keep the fee if it's AI-generated timewasting.
Keep increasing the fee until the level of AI stuff goes down to manageable.
Problem solved?
It will probably get rid of all hunters, both those who submit crap and those who don't. Hunters may be concerned about submitting a real bug and getting charged for it, especially if companies are being vindictive as they sometimes do. While I don't do commercial bug hunting, I've had the experience of reporting a vulnerability to a company and getting a nasty message back because they didn't like having a problem brought to light, so I'd be careful not to do that if it involved getting a nasty message and paying them for the privilege. I think that's what you'll get, but we can always try. I wish there was a better way, but I don't have one.
It might eliminate a lot of the HackerOne types, most of whom aren't adding much value anyway. It wouldn't affect sponsored vulnerability-investigation teams in industry (eg. Project Zero) or academia (e.g. Graz U's team).
The problem really is administration. HackerOne is one thing (and not, in my opinion, a great thing). There are a lot of independent researchers who submit reports hoping for a bounty or equivalent, such as a security consultation engagement. There are also a lot who submit them just for recognition/reputation, or without expecting compensation. A vendor shouldn't ignore those reports — they might be genuine — even if no "submission fee" is paid; that's unethical and dangerous. And even for reporters who play the game, how is that fee administered, if they don't use a reporting agency like HackerOne?
It won't affect academia or Project Zero types because those people have a lot more ability to report things without penalty and they are also listened to if they have to report something publicly. If a company wants to get rid of the HackerOne types, they have a clear option: don't have a HackerOne presence. If they've decided that the noise from people looking for an opportunistic quick reward is worth the potential benefit of more people looking for and reporting real issues, then this is a more important problem for them. Public bug bounties have always been prone to bad submissions, a problem that AI will probably exacerbate, but each company can individually choose whether to participate.
.... for the Existential Advanced Cyber Threat now Pumping through every Sublime Internet Networking Vein is ...
Houston, do we have a problem ‽ . The Machine[s] is[are] telling humans... "No more crap such as lies that create and propagate fake news for tomorrow’s resulting opinionated crooked views ..... or else"
Please advise. Do we have any solution[s]? Or else sounds pretty unpleasantly ominous.
[If you do not see/recognise/accept that as your current unfolding, present day reality/situation reporting on a mega metadata based 0day vulnerability being exploited and exported far and wide ethereally and down dark and deep underground by/to all manner of alternative means and virtual memes and future builder stakeholders, then ....
1) Prepare yourself for a whole series of what are sure to be for you, almighty shocks giving rise to universal crises ....... Otherworldly Trips.
And all as a consequence of, and an accountable responsibility to be laid at the doors of that and those presiding over the pimping/pumping and dumping of thoughts and activities wickedly aiding and abetting "Oh! What a Tangled Web We Weave/When First We Practice to Deceive!”
2) You gotta get out more. Wake up and smell the coffee, Java and Cocoa.]
I'd argue against this, but I think you misread the situation so much that it's virtually impossible to debate the point with you. Somehow reporting a problem is the same as advertising, even though I don't pay anybody to use libcurl and the article mentions nothing encouraging use of it. I think you might need to read the article again.
This post has been deleted by its author
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
