cURL Removes Bug Bounties

Ancient Slashdot reader jantangring shares a report from Swedish electronics industry news site Elektroniktidningen (translated to English), writing: "Open source code library cURL is removing the possibility to earn money by reporting bugs, hoping that this will reduce the volume of AI slop reports," reports etn.se. "Joshua Rogers -- AI wielding bug hunter of fame -- thinks it's a great idea." cURL maintainer Daniel Stenberg famously reported on the flood AI-generated bad bug reports last year -- "Death by a thousand slops." Now, cURL is removing the bounty payouts as of the end of January.

"We have to try to brake the flood in order not to drown," says cURL maintainer Daniel Stenberg [...]. "Despite being an AI wielding bug hunter himself, Joshua Rogers -- slasher of a hundred bugs -- thinks removing the bounty money is an excellent idea. [...] I think it's a good move and worth a bigger consideration by others. It's ridiculous that it went on for so long to be honest, and I personally would have pulled the plug long ago," he says to etn.se.

Coulda charged to submit a report.

[Anonymous Coward]

If it's sensible, you'll probably get paid out. People would still do it.

Makes a lot more sense to put up a barrier to entry than to scrap the whole thing.

Re:Coulda charged to submit a report.

[martin-boundary]

That's not a hassle a typical open source project would want to get into. However, a startup could make it a business. Host a bug tracking system and manage a pay to play merchant account where bug submitters can pay by credit card upfront and register a bank account for receiving the bounty. The open source project gets to use the bug tracker for free, and accept or reject. If the bug is accepted, the bounty is paid out of the submission fees, minus operating costs.

Have AI build it!

[kackle]

How would we deal with finding its bugs though? (ducks)

This is one of the problems with "AI"

[liqu1d]

It's not that it's inherently incapable of producing good results it's that people abuse it through ignorance, incompetence or just a lack of care and create a flood of shite for others to wade through to find the small nuggets of gold. That mountain of shite severely holds back the progress of programmers who have to review it. Same with art,websites,video all have the same AI problem.

Re:This is one of the problems with "AI"

[TurboStar]

Indeed. A good dev will use AI to submit a better PR. A bad dev will use AI to submit more PRs. If the goal is getting a PR that hits the money ball, guess which strategy works better? If the boss isn't a programmer, guess which dev gets favored?

Re:This is one of the problems with "AI"

[martin-boundary]

Isn't what you're saying *precisely* that AI is inherently incapable of producing good results? You're literally saying that an AI can't judge if what it produces is fit for purpose. So all the intelligence must reside in the human user.

That's not what AI have been sold as. They have been sold on the premise that AIs are more intelligent than that.

Re: This is one of the problems with "AI"

[liqu1d]

Unfortunately I suspect the AI may be more intelligent than a lot of its proponents. I don't believe it to be intelligent at all. They're using a shotgun approach to find bugs. I haven't actually seen a AI bug report yet so for all I know it's a static scanner finding the bug and the entire "AI" side is adding some flowery wording to make it sound scary.

Re:This is one of the problems with "AI"

[drinkypoo]

No, the AI is capable of producing good results, but as it doesn't know anything, it doesn't know when it has done that. The problem is when the person who initiated the AI pushes the human review labor off onto some other person. If you're going to use an AI, you should have to review its output before some other human has to experience it.

Re:This is one of the problems with "AI"

[martin-boundary]

No, the AI is capable of producing good results, but as it doesn't know anything, it doesn't know when it has done that.

You are indeed repeating my point. If the AI is not capable of judging the value of its own work, then what intelligence does the "I" refer to?

For example, I can go to my library and choose a book which contains a solution to a differential equation I want for some purpose. I must verify that the solution is suitable.

Is the book intelligent because it has a record of the solution? Clearly not. Did the book produce good work for me? No, since I did the work of checking the solution.

Is the library intelligent because I can "ask" it for the book, by scanning the titles in alphabetical order? Clearly not. Did the library produce good work because its books are in alphabetical order? No, since I did the work of checking the solution.

If I ask an "artificial intelligence" to solve a differential equation for some purpose, I should expect a suitable solution. If all I get is a page from a book and I have to check that the page is suitable for the stated purpose, then I am doing the work and the "I" in "AI" is a misnomer.

Re:

[Racemaniac]

The intelligence would refer to how often it makes decent output based on the input.

It's obviously better at that than anything we've had before, but even if it gives a qualitative result 90% of the times, that means it's completely not suited to tackle bigger problems without having a human constantly weed out those 10% of bad answers.

And not sure if you've used AI for programming, but it does have some capabilities & 'creativity'. In some way it obviously is a next generation, more natural, search eng

Re:

[drinkypoo]

I clearly agree with the thrust here, but that's not the same thing as the AI being unable to "produce good results." It only cannot do it reliably on its own. That's both why the output can be useful and also why nobody should be betting the farm on it at the same time.

And sure, "intelligence" is a misnomer, although I prefer to solve the problem at the other end. It's not artificial intelligence specifically because it's not intelligence. It's simulated intelligence. Just like a simulated aircraft isn't a

Re:

[Himmy32]

Intelligence residing in the prompt and context giver is often asking too much.

Re:

[The MAZZTer]

AI is like any tool. You can use a hammer to hammer in nails, But you can also try to use it to hammer in screws. Close enough, right? Just because a hammer sucks at hammering in screws doesn't mean it's a useless tool.

Re:

[allo]

The problem is even more obvious: Every correct bug report created using AI can be created by the authors themselves. Why should a thirdparty know better how to run the AI on the code than the authors? Posting AI generated bugreports basically says "I think the project members are too stupid to use AI".

Re: This is one of the problems with "AI"

[dj245]

This is a problem in many industries- a newcomer thinks they understand it all and have identified a revolutionary new thing. It's an arrogance that they think they are better than all the experts who have spent decades working on the problem. Wind power generation is a very good example, every week there is a new "genius" pitching vertical axis turbines, a wall of small turbines, or even kites. The industry has settled on horizontal axis, 3-blade machines for good reasons, and companies across the world h

Re:

[allo]

Sometimes one needs to be careful not to overlook the genius. But for every genius there are a thousand people who reinvent the triangular wheel.

Re:

[bjoast]

No problem. We'll just use AI to dig through the mountain of shit.

Re:

[necro81]

It's not that it's inherently incapable of producing good results it's that people abuse it through ignorance, incompetence or just a lack of care and create a flood of shite for others to wade through to find the small nuggets of gold.

In other words: this is why we can't have nice things.

captcha

[tiananmen tank man]

can't they use captchas to prevent the AI bug reports or can AI solve those too now?

Re: captcha

[liqu1d]

Based on outlooks latest set of captcha I'm starting to think I may be a bot. They're impossible to solve.

Re:

[Bradac_55]

GPT-1 could bypass a Captcha faster than a human so no it wouldn't work.

Re: captcha

[PoopMelon]

I believe he was joking

Re:

[zlives]

AI is never joking

Re:

[allo]

No problem, curl surely implements wget:// somewhere.

Motive

[sound+vision]

If the motive of the sloppers is the bounty, this might stem the deluge.

But, I can think of other motives why people would want to impede cURL's security.

Re:

[nosfucious]

I'm sure some of it for the reward money.

Now, to play devil's advocate: If I had a fat juiciy bug that I was using to start exploits, for sure I'd try and tie up the project maintainers with AI bug reports. What better way to distract them? Keep them looking at the crap and hope it turns everyone's attention away from the real thing.

AI is just a tool. Like all tools is can be (a) used for good, (b) used for evil, (c) used to look at porn or (d) try and make money with little to no effort.

Good move

[tero]

If you follow Daniel on Mastodon, you've seen him talking about the avalanche of complete bogus AI-reports he gets and the ever increasing time he has to spend dealing with them.

Enshittification of bug bounty platforms - a decade ago when many of the big platforms were starting, there were promises of pre-screening and helping to organize the inflow of reports. I'm guessing that's only for "premium" accounts only these days.

It's not a sustainable way to do application security testing.

Bad decision

[real httpd]

Bad decision. They should have started charging a deposit for bug registration instead. Ideally, the deposit should be twice the cost of the analysis. If there is no bug, the deposit is taken, and a new deposit is required for the next bug registration. If there is a bug, the deposit is kept and a bonus is paid. In this case, the fake bug registrants will pay for the work of good programmers.

Re:Bad decision

[Viol8]

If they start taking monetary payments then they have to become a legal merchant with all the time, cost and hassle that entails.

Re:

[anoncoward69]

One could also take it to another extreme that it encourages sloppy coding or making the appearance of. If a project it seen as sloppy more people will target it to submit bug reports thus pay more deposits. Question is the code really that sloppy and full of bugs that they will pay out more in bounties than they take in for deposits?

Re:

[anoncoward69]

Maybe you could use an AI to vibe code the perfect amount of AI slop into a project to make the incoming deposits more than the outgoing bounty payments?

Re:

[karmawarrior]

Yeah, if you want you could organize that and deal with the various business related expenses and taxes that go with it, plus the taking in of money. I'm sure Daniel would be totally happy with you to do that.

Suggesting, however, the curl team should do it is obnoxious. They're programmers, not business people.

Refund?

[multatuli]

A co-worker suggested you make reporters pay say $10 for each bug they report. To be refunded if proven a true bug.

This isn't about bug reports

[Twipped]

I think some of y'all are confused on this, this isn't about keeping AI from reporting bugs, it's about the absolute flood of horrific pull requests he keeps getting for "exploits" that shitty AI code tools claim exist but actually don't. PRs that actually break the code that it's claim it fixes, because the agents suck at real code analysis. They aren't even addressing recognized CVEs, they're just making shit up, and it wastes so much of his time.

Re:

[karmawarrior]

Yeah.

I've been following this for a while and I've noticed most of the bugs fit into three categories:

1. "This function uses strcpy which is totally unsafe and could cause a buffer overflow! (two lines before the strcpy is an "if(strlen(...)>=BUFFER_SIZE)" line, it's pretty fucking obvious there's no buffer overflow.
2. "You can use curl to get the contents of /etc/passwd displayed on your screen" - uhm... OK.
3. "This function will bypass its security checks if a dev calls it with the BYPASS_SECURITY_CHEC