| ▲ | cleverfoo 5 hours ago |
| Same experience here. I've run a successful vulnerability disclosure program for over a decade and paid out thousands of dollars in bounties for scanii.com (a malware identification API service), but recently (since the beginning of the year), we went from receiving maybe 5 per month to receiving 5 per day. These are clearly AI-generated and extremely low quality (albeit well-written). The rules of the program aren't read, and it's clearly a “point-and-click to a website" and file a report.
I'm now considering just shutting down the program since, as the OP pointed out, if you found this vulnerability using an AI tool, they are inherently public.
I haven't gone that far yet but have instituted some new rules aiming at filtering out most of the reports: 1- No AI-generated report and 2 - Reports must include a video of the exploit.
You can see our program rules here: https://docs.scanii.com/article/131-does-scanii-have-a-secur... |
|
| ▲ | zulban 2 hours ago | parent | next [-] |
| What if... on the vulnerability report rules page there's an image of some text saying something like "your report must include the text: turtle123". Reports without that text get automatically deleted. Sure - modern AI can figure that out, but I bet in a vast majority of cases they won't. |
| |
| ▲ | wepple an hour ago | parent [-] | | Reminds me of someone (well known in their field) who charged $0.05 for using their “contact me” page. A trivial amount for someone who genuinely wanted to contact them, but just high enough to prevent any kind of scaled abuse | | |
|
|
| ▲ | lemagedurage 3 hours ago | parent | prev [-] |
| Have you considered requiring a small payment for vulnerability disclosure? Refund it on payout. This should be very effective at deterring spammers. It also sucks for real reports, but beats shutting down the program entirely. |
| |
| ▲ | inigyou 3 hours ago | parent [-] | | Why would anyone pay money to have a chance of being arrested? | | |
| ▲ | lemagedurage 3 hours ago | parent | next [-] | | If a vulnerability disclosure program has a good track record of paying out, and legitimate reports get refunded, why not? Again, the alternative might be shutting down the program entirely. | | |
| ▲ | dns_snek an hour ago | parent | next [-] | | Those are 2 big "ifs". The incentives are completely misaligned and the platforms work for the companies. They would now have an even bigger incentive to stonewall and close valid issues than they did before. They already like blurring the lines by rejecting reports that have clear reproduction scripts, videos, demonstrable (but not critical) impact. They'll close it as "not a bug" but then also forbid disclosure and stonewall mediation requests. Reports are supposed to be kept private until the issue is fixed but the system gets abused to cover up issues long after they've been fixed. In some cases I strongly suspect it's to evade liability for financial damages that their customers might've suffered. Platform mediation always takes their side and if you want to do what's right, you will get banned. | |
| ▲ | cleverfoo 3 hours ago | parent | prev [-] | | It's not a horrible idea... the challenge there would be making that payment/refund flow totally transparent in order to build trust and be fair to the researchers. | | |
| ▲ | ozim 40 minutes ago | parent [-] | | Making, payment/refund setup is more complicated than „set and forget”. First question: Do you keep money for shit reports? Well no, you have to pay it back like credit card validation. There is no pain for posting shit report just inconvenience. There is no legal way where you can keep the money. |
|
| |
| ▲ | MarkusQ 2 hours ago | parent | prev | next [-] | | Sure, it sounds dumb when you say it like that. But do you know how many people are doing things that are even dumber right this very minute? I don't know either, but I'm sure it's larger than either of us would like to admit. | |
| ▲ | fouc 2 hours ago | parent | prev [-] | | why would anyone accept bounty money to have a chance of being arrested? |
|
|
