Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
AI Bug Programming

AI-Assisted Bug Reports Are Seriously Annoying For Developers (theregister.com) 29

Generative AI models like Google Bard and GitHub Copilot are increasingly being used in various industries, but users often overlook their limitations, leading to serious errors and inefficiencies. Daniel Stenberg of curl and libcurl highlights a specific problem of AI-generated security reports: when reports are made to look better and to appear to have a point, it takes a longer time to research and eventually discard it. "Every security report has to have a human spend time to look at it and assess what it means," adds Stenberg. "The better the crap, the longer time and the more energy we have to spend on the report until we close it." The Register reports: The curl project offers a bug bounty to security researchers who find and report legitimate vulnerabilities. According to Stenberg, the program has paid out over $70,000 in rewards to date. Of 415 vulnerability reports received, 64 have been confirmed as security flaws and 77 have been deemed informative -- bugs without obvious security implications. So about 66 percent of the reports have been invalid. The issue for Stenberg is that these reports still need to be investigated and that takes developer time. And while those submitting bug reports have begun using AI tools to accelerate the process of finding supposed bugs and writing up reports, those reviewing bug reports still rely on human review. The result of this asymmetry is more plausible-sounding reports, because chatbot models can produce detailed, readable text without regard to accuracy.

As Stenberg puts it, AI produces better crap. "A crap report does not help the project at all. It instead takes away developer time and energy from something productive. Partly because security work is considered one of the most important areas so it tends to trump almost everything else." As examples, he cites two reports submitted to HackerOne, a vulnerability reporting community. One claimed to describe Curl CVE-2023-38545 prior to actual disclosure. But Stenberg had to post to the forum to make clear that the bug report was bogus. He said that the report, produced with the help of Google Bard, "reeks of typical AI style hallucinations: it mixes and matches facts and details from old security issues, creating and making up something new that has no connection with reality." [...]

Stenberg readily acknowledges that AI assistance can be genuinely helpful. But he argues that having a human in the loop makes the use and outcome of AI tools much better. Even so, he expects the ease and utility of these tools, coupled with the financial incentive of bug bounties, will lead to more shoddy LLM-generated security reports, to the detriment of those on the receiving end.

This discussion has been archived. No new comments can be posted.

AI-Assisted Bug Reports Are Seriously Annoying For Developers

Comments Filter:
  • Use AI to assess bug claims and to award bounties.
    You're very welcome.

  • by NFN_NLN ( 633283 ) on Thursday January 04, 2024 @09:17PM (#64133217)

    > "The better the crap, the longer time and the more energy we have to spend on the report until we close it."

    That's the scam. They flood you with so much AI generated noise that you need to purchase AI services to filter through it.

    • by Darinbob ( 1142669 ) on Thursday January 04, 2024 @09:46PM (#64133263)

      As the article says:

      Stenberg readily acknowledges that AI assistance can be genuinely helpful.

      But so far, I have not seen an example of AI being genuinely helpful. Except for trivial cases of "I was wasting my time writing gibberish, and the AI was so much faster at it than I was."

      • by NFN_NLN ( 633283 )

        > But so far, I have not seen an example of AI being genuinely helpful.

        https://www.youtube.com/watch?... [youtube.com]

        • Ok, but that's not the large language model style as was being discussed. I should have been more clear.

      • And this is why I'm beginning to think that it should be named AS: Artificial Stupidity. Much more accurate and it just might make people think twice before trusting it.
      • But so far, I have not seen an example of AI being genuinely helpful.

        I have very occasionally used it to find API calls. If the words involved are just too common, or the terminology happens to be too vague, making it ungooglable, you can get the call by kind of writing what you want it to do and chat GPT will have a good chance of telling you what the API call is.

        I've used it once or twice after a recommendation from a friend. Pretty neat. That's about it though...

    • by AmiMoJo ( 196126 )

      It's people trying to claim bug bounties. Because there is a payout, they spend all day running automated tools and AI on code, looking for flaws to report.

  • I get it but (Score:1, Interesting)

    by Anonymous Coward

    As a developer myself I get the problem but at the same time I hate reporting bugs. I often have to explain to the developers why they are morons, etc. It takes too much time. I want to simply point out the flaw then let them figure it out because they know the system. There are way too many bugs in software for me to sit and hand-hold everyone with lots of writing especially when I'm not very experienced with their code.

    I usually don't report bugs because it's too much trouble. But yes, now I'll use AI t

    • Re:I get it but (Score:5, Insightful)

      by Josef Meixner ( 1020161 ) on Friday January 05, 2024 @05:51AM (#64133787) Homepage

      With your attitude towards them I cannot blame anybody for ignoring your input. Let me guess, you cannot be bothered to report the version or the steps necessary to reproduce. Do your bug reports contain more then something along the lines of "You morons, a three year old wouldn't make this bug. Fix it."?

      • With your attitude towards them I cannot blame anybody for ignoring your input. Let me guess, you cannot be bothered to report the version or the steps necessary to reproduce. Do your bug reports contain more then something along the lines of "You morons, a three year old wouldn't make this bug. Fix it."?

        I agree with the GP post. I can submit screenshots, error codes, specific URLs of pages where the error occurs, detailed steps to reproduce, painstakingly accurate lists of exactly which version numbers of the relevant platforms/OS/app/browser/security modes/etc. and STILL get no acknowledgement from the people whose jobs are to administer/maintain the systems in question. I have run into a depressingly large number of people who very obviously do not analyze problem reports based on whether the problem can

    • That sort of thing, even if it is still factually correct, just makes it take longer to read and parse what it is saying.

    • Re:I get it but (Score:4, Insightful)

      by Junta ( 36770 ) on Friday January 05, 2024 @07:35AM (#64133885)

      But yes, now I'll use AI to shove something out. I don't do it blindly. I use the AI to convert my simple statement, the core, and turn it in to something that apparently normal people need to parse.

      No, the AI generated output is not what people "need to parse". If the LLM processed your prompt fine, then your prompt would have done just fine as a writeup of a bug.

      The whole point is that LLM extended material is obnoxious in this context. At *best* it buries your core actionable detail among a bunch of empty verbosity that the reader must wade through. It is also highly likely to invent details to further muddy the waters, sometimes replacing your detail with another.

      While worse with LLMs, this isn't a new phenomenon. I have always hated it when I came across a communication that clearly wanted to be "professional", as it is pointlessly verbose and takes a lot of time when a brief 3 or 4 sentences would have sufficed.

      If the system analyzes your report, LLM might be able to more accurately suggest possible duplicates. It might be able to recognize potential documentation material to offer an afflicted user. It really sucks at "enhancing" human to human communication if the intent is to sincerely and fully convey information.

    • Re:I get it but (Score:5, Insightful)

      by Petersko ( 564140 ) on Friday January 05, 2024 @11:36AM (#64134349)

      "I hate reporting bugs. I often have to explain to the developers why they are morons, etc."

      No need. You should stop. I'm sure you'll be sorely missed, and your contributions are probably mission critical, but your mental health is more important. Tend to it, even if it means nobody hears from you again.

  • False positives about some "issue" and chasing your tail...well I've know team leads and managers that stir up the developers on the team like a herd of cats...and running all over the place.

    Seriously annoying, like "super serial serious" or "I am unanimous in seriously super annoyed." ?? :)

    JoshK.

  • That's a weird way to phrase it.
    "I am John of Mordor and Forodwaith".

  • LLMs are good at making the most inane crap sound good. They are not good at all at recognizing reality.

  • by ClueHammer ( 6261830 ) on Friday January 05, 2024 @01:56AM (#64133567)
    Already has happened. "User: The AI told me to do this. Support: That option does not exist. User: Your wrong the AI told me... ", the AI of course generated lies and the user was determined we where wrong, he was right and would not listen to reason.
  • by lurcher ( 88082 ) on Friday January 05, 2024 @04:24AM (#64133703) Homepage

    "According to Stenberg, the program has paid out over $70,000 in rewards to date."

    I know this will come off a whiny, because I guess it is, but how the hell did an open source project like curl manage to get $70k to pay out for these things. I ask from the perspective of someone who have been running unixODBC for the last 20 years, and maybe I am wondering where you apply.

  • The coming of “open” bounties has created many similar situations. That's the main reason why most my interventions have put a halt on these and instead focused on creating small internal/external teams - less in more - especially when it's well done. So I absolutely get his point, but at the same time - it’s a bit like paying insurance - annoying, but good when something significant happens. My core expertise is building and managing these teams for decades. Effort needs to be logical a
  • If you apply Sturgeon's Law, and Pareto's Principle, then 66% noise is actually pretty good...

As of next week, passwords will be entered in Morse code.

Working...