| ▲ | singpolyma3 6 hours ago | |||||||
It's a bit odd that this comes today after so many other projects reverse this finding. | ||||||||
| ▲ | frakt0x90 5 hours ago | parent | next [-] | |||||||
AI can find useful exploits but the highly publicized ones are among a sea of false positives and the successes I've read were found by people who were already experts. I can 100% see a public bug bounty program being inundated with garbage even if there are diamonds in the rough. | ||||||||
| ▲ | kccqzy 4 hours ago | parent | prev [-] | |||||||
Reverse what? Let’s take curl as an example. Daniel Stenberg wrote about how he had to stop curl’s bug bounty program due to prevalent AI slop[0]. He also wrote about how he eventually restarted security bug reports without a bounty[1]. It turns out that without a bounty, the reports are higher quality. It almost seems like by removing the monetary incentive, it attracts people who are reporting bugs due to genuine altruism and concern for security, rather than hope for a quick buck. It feels like it harkens back to an earlier age of free software development on the Internet untainted by commercial interests. So my opinion is that security bug reports should continue, but bug bounties should not. Turso should probably still encourage corruption bug reports but with no bounty. [0]: https://daniel.haxx.se/blog/2026/01/26/the-end-of-the-curl-b... [1]: https://daniel.haxx.se/blog/2026/04/22/high-quality-chaos/ | ||||||||
| ||||||||