The AI slop security reporting is basically extinct.

j_s_j@mastodon.social

@bagder @annika What was the total time between “this slop is a problem” and “this stuff is pretty good”?

bagder@mastodon.social

I want to emphasize this because when I talk about AI security reports now, half my readers seem to believe those are AI slop. They're not. They are found with AI tools and normally high quality bug reports.

The weakest part is that they tend to overstress the vulnerability angle. Lots of them are well phrased bug reports that are still "just bugs".

aedius@lavraievie.social

@bagder @annika

I assume that they also used your free work to create the prompt that refuse a lot of bad report internaly.

raboof@merveilles.town

@bagder I wish this was my experience . But it's certainly getting better.

kboyd@phpc.social

@bagder Yeah, seems like around january things flipped around.

I was hoping the slop would continue to be slop, but alas. Wishful thinking on my part (to make it easier to disregard the fad).

evilpie@hachyderm.io

@bagder The other problem with AI bug reports is the verbosity, otherwise I basically agree.

grayrattus@mastodon.social

@bagder I love how you changed your opinion on this topic when you saw real evidence in form of good security reports written by AI.

If someone would write this 2 years ago I would say they are delusional but today its just reality.

I hope soon we get open models with such capabilities as for now only the gatekeeped models from big tech are capable of doing such good work.

#LLMs #genai #anthropic

bagder@mastodon.social

@evilpie true they are normally way too talkative

varpie@peculiar.florist

@bagder Didn't you share one just 2 days ago though? hackerone.com/reports/3669305

bagder@mastodon.social

@grayrattus it was never my opinion as much as my summary of the situation... and the situation has changed quite drastically

hughsie@mastodon.social

@bagder I get this with fwupd too. Everything that's AI found is reported as a CVSS 10.0 CRITICAL vulnerability, and then you find out it's assuming the attacker has write access on /etc or something dumb like that.

At that point it's just a regular old typo bugfix like all the other thousands of unimportant commits.

grayrattus@mastodon.social

@j_s_j @bagder @annika month.

Claude Mythos Preview \ red.anthropic.com

(red.anthropic.com)

Here you can read more.

grayrattus@mastodon.social

@bagder yeah. Sorry. More like summary of the situation.

utopiah@mastodon.pirateparty.be

@bagder "they tend to overstress the vulnerability angle." which I imagine is simply because that's what the prompt suggested.

bagder@mastodon.social

@utopiah probably, but also because the AIs can't really tell

langerjan@chaos.social

@bagder Well, I guess you could quickly convince them otherwise with your "reports/ai-slop ratio" graph.

edmcbane@hachyderm.io

@Varpie @bagder 90% of the time it works every time. It probably improved dramatically, but still slop lingers?

stevel@hachyderm.io

@bagder I see
- good ones using AI as part of a rigorous process with replication
- mediocre where someone asked an AI "Find me a CVE", submits the report without review or replication, and yet still expects credit

If "have write access to the filesystem" is a prerequisite to an exploit: it's not an exploit. You already have total ownership of the server

louisbotha@mastodon.social

@bagder Can't wait for your next graph

alesandroortiz@infosec.exchange

@bagder Do reporters share the tools used, or are there strong tool indicators in the reports?

Curious about which tool(s) are most successful, at least for cURL research.

I imagine in most cases reporters don't mention the tools used (especially if custom), which is unfortunate.