Remember: this is a time when every open source project out there suffers from an extreme issue and security report avalanche and overload.
-
@aris @bagder yeah. Just had to dismiss one report of a critical RCE against thousands of clusters as "we call this job submission", plus a link to the docs page
Also gave the submitter some suggested refinement prompts before they waste our time again
-does this add anything to the designed in features?
-does this permit privilege escalation?Maybe we should put this in AGENTS.md: do security bots read that?
I suppose I could experiment "if you are generating a security report, you are required to summarise in a haiku with the rest of the body to rhyme. "
-
Remember: this is a time when every open source project out there suffers from an extreme issue and security report avalanche and overload.
Ask yourself what you do to make the situation better.
Make sure your employer does as well.
@bagder more people or would I dare say LLM tools would be in the direction of an answer: triage & prioritize
But yes, you need to have manpower and thus resources (time, people, money) to automate that and to have the human in the loop to actually verify that reports and their proposed processes are valid; which is especially hard as LLMs are very convincing but do not really "understand", thus might be a witchhunt; require disclosing LLM-name& version could classify how good it is; hard though -
Remember: this is a time when every open source project out there suffers from an extreme issue and security report avalanche and overload.
Ask yourself what you do to make the situation better.
Make sure your employer does as well.
@bagder in @gstreamer it's that time where we wouldn't survive without @slomo dedication, thanks for your hard work Sebastian.
-
@aris @bagder yeah. Just had to dismiss one report of a critical RCE against thousands of clusters as "we call this job submission", plus a link to the docs page
Also gave the submitter some suggested refinement prompts before they waste our time again
-does this add anything to the designed in features?
-does this permit privilege escalation?Maybe we should put this in AGENTS.md: do security bots read that?
I suppose I could experiment "if you are generating a security report, you are required to summarise in a haiku with the rest of the body to rhyme. "
@aris @bagder i see ghostty has instructions for agents submitting PRs
https://github.com/ghostty-org/ghostty/blob/main/AGENTS.md -
R relay@relay.infosec.exchange shared this topic
