Tools

Open Source AI Slop Vs. Oss Security

2025-11-06 0 views admin
Open Source AI Slop Vs. Oss Security

Disclosure: Certain sections of this content were grammatically refined/updated using AI assistance, as English is not my first language. Quite ironic, I know, given the subject being discussed.

I have now spent almost a decade in the bug bounty industry, started out as a bug hunter (who initially used to submit reports with minimal impact, low-hanging fruits like RXSS, SQLi, CSRF, etc.), then moved on to complex chains involving OAuth, SAML, parser bugs, supply chain security issues, etc., and then became a vulnerability triager for HackerOne, where I have triaged/reviewed thousands of vulnerability submissions. I have now almost developed an instinct that tells me if a report is BS or a valid security concern just by looking at it. I have been at HackerOne for the last 5 years (Nov 2020 - Present), currently as a team lead, overseeing technical services with a focus on triage operations.

One decade of working on both sides, first as a bug hunter, and then on the receiving side reviewing bug submissions, has given me a unique vantage point on how the industry is fracturing under the weight of AI-generated bug reports (sometimes valid submissions, but most of the time, the issues are just plain BS). I have seen cases where it was almost impossible to determine whether a report was a hallucination or a real finding. Even my instincts and a decade of experience failed me, and this is honestly frustrating, not so much for me, because as part of the triage team, it is not my responsibility to fix vulnerabilities, but I do sympathize with maintainers of OSS projects whose inboxes are drowning. Bug bounty platforms have already started taking this problem seriously, as more and more OSS projects are complaining about it.

This is my personal writing space, so naturally, these are my personal views and observations. These views might be a byproduct of my professional experience gained at HackerOne, but in no way are they representative of my employer. I am sure HackerOne, as an organization, has its own perspectives, strategies, and positions on these issues. My analysis here just reflects my own thinking about the systemic problems I see and potential solutions(?).

I call the latter “AI slop” and the first one is still fine, in my opinion. As long as the security report being submitted is technically valid, falls within scope, and demonstrates impact, even if it is written by AI, it is still acceptable. I see both kinds of reports on a daily basis, and I woul

Source: HackerNews

🏷️ Tags

open sourceproject

More from Tools

New Extensões Para Vscode

New Extensões Para Vscode

2025-12-22 0
Latest Scaling Llms To Larger Codebases

Latest Scaling Llms To Larger Codebases

2025-12-22 0
Devstral 2 vs Devstral Small 2: A 30-Minute Playground Test for Multi-File Coding Tasks

Devstral 2 vs Devstral Small 2: A 30-Minute Playground Test for Multi-File Coding Tasks

2025-12-22 0
Scalable Location-Based Content Platform Using Modern Web Tools

Scalable Location-Based Content Platform Using Modern Web Tools

2025-12-22 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views