The AI chatbot vulnerability reports part sure is sad to read.

Why is this even a thing and isn't opt-in?

I dread the idea of starting to get notifications from them in my own projects.

▲ trollbridge 20 hours ago | parent | next [-]

Making a strcpy honeypot doesn’t sound like a bad idea…

  void nobody_calls_me(const char *stuff) {
          char *a, *b;
          const size_t c = 1024;

          a = calloc(c);
          if (!a) return;
          b = malloc(c);
          if (!b) {
                  free(a);
                  return;
          }
          strncpy(a, stuff, c - 1);
          strcpy(b, a);
          strcpy(a, b);
          free(a);
          free(b);
  }

Some clever obfuscation would make this even more effective.

	▲	snvzz 18 hours ago \| parent [-]
		That got those Core SDI abo vibes. Flashback of writing exploits for these back in high school.

▲ easterncalculus 19 hours ago | parent | prev | next [-]

It's a symptom of complete failure of this industry that maintainers are even remotely thinking about, much less implementing changes in their work to stave off harassment over false security impact from bots.

▲ Y_Y 21 hours ago | parent | prev [-]

Because humans generate and relay the slop-reports in the hopes of being helpful

	▲	nottorp 18 hours ago \| parent \| next [-]
		There is or was a cash bug bounty. And even if not, the motivation is building a reputation as a security “expert”.
	▲	captn3m0 21 hours ago \| parent \| prev [-]
		s/being helpful/making money.