About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

New era of slop security reports for open source- 1564

Seth Michael LarsonPosted 1 Year Ago
  • Seth Larson is a security report triager for CPython, pip and many other open source projects mainly in the Python ecosystem. Recently, they got a large uptick in the amount of bad reports. These were either LLM-halluncinated, low quality and overall spammy. What's so hard is that many of these look legitimate at first glance!
  • Responding to security reports is an expensive operation for projects. It requires a lot of time to understand an issue and to see if it's relevant or not. This leads to confusion, stress, and frustration. The author then goes through what programs, reporters and maintainers can do.
  • For platforms, like HackerOne, it comes down to incentives. Being able to "name and shame" repeat offenders and banning folks with too many false positives. Additionally, removing public recognition can be helpful. They mention preventing new users from reporting issues but I disagree with this approach since some people just publish on the platform where they happen to find a bug at.
  • The list for reporters is a lot longer. Effectively, it comes to stop being an idiot and make sure it's a real bug before reporting. The only thing of note is coming with a patch alongside a security issue.
  • For maintainers, the author talks about putting the same amount of effort that the reporter put in. If you receive a report that is spam or AI generated, then give zero effort. If it's garbage then they won't respond. If it's real then admit your mistake and move on.
  • When trying to audit whether it's going to be low-quality or not, look for a few things:
    • If the account has no public identity, no public reports of value or multiple invalid/bad reports, then it's likely spam.
    • Is the vulnerability in the code usage itself or does it even include a PoC?
  • Most people are acting in good faith :) Some people are just new. Overall, a good post on responding to bug bounty programs.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed