| ▲ | NitpickLawyer 4 hours ago | |||||||
> You can tell you're in trouble on this thread when everybody starts bringing up the curl bug bounty. I don't know if this is surprising news for people who don't keep up with vuln research, but Daniel Stenberg's curl bug bounty has never been where all the action has been at in vuln research. What, a public bug bounty attracted an overwhelming amount of slop? Quelle surprise! Bug bounties have attracted slop for so long before mainstream LLMs existed they might well have been the inspiration for slop itself. Yeah, that's just media reporting for you. As anyone who ever administered a bug bounty programme on regular sites (h1, bugcrowd, etc) can tell you, there was an absolute deluge of slop for years before LLMs came to the scene. It was just manual slop (by manual I mean running wapiti and c/p the reports to h1). | ||||||||
| ▲ | steveklabnik 4 hours ago | parent | next [-] | |||||||
I used to answer security vulnerability emails to Rust. We'd regularly get "someone ran an automated tool and reports something that's not real." Like, complaints about CORS settings on rust-lang.org that would let people steal cookies. The website does not use cookies. I wonder if it's gotten actively worse these days. But the newness would be the scale, not the quality itself. | ||||||||
| ▲ | tptacek 4 hours ago | parent | prev | next [-] | |||||||
I did some triage work for clients at Latacora and I would rather deal with LLM slop than argue with another person 10 time zones away trying to convince me that something they're doing in the Chrome Inspector constitutes a zero-day. At least there's a possibility that LLM slop might contain some information. You spent tokens on it! | ||||||||
| ▲ | wrs 3 hours ago | parent | prev [-] | |||||||
The new slop can be much harder to recognize and reject than the old "I ran XYZ web scanner on your site" slop. | ||||||||
| ||||||||