3 months ago I watched this guy announce the end of the bug bounty program due to slop on stage. Have the tools gotten that much better, or is it just that without the profit motive, people are...
3 months ago I watched this guy announce the end of the bug bounty program due to slop on stage. Have the tools gotten that much better, or is it just that without the profit motive, people are spending more time separating the real vulns from the slop?
I don't know, but I would guess a little of both. Finding a security vulnerability in curl would be a big deal for anyone professionally. So unfortunately low effort scan that clogs up the...
I don't know, but I would guess a little of both. Finding a security vulnerability in curl would be a big deal for anyone professionally. So unfortunately low effort scan that clogs up the security teams time was probably the main reason for stopping the bug bounty program. If all the issues posted had been for real vulnerabilities I would hope they'd be scrambling to patch them and kept the program running. In addition Mythos is apparently very capable (we have to trust anthropics word on this since there's no way for us mortals to verify it). Given the capability of the models have improved the quality of the reported issues would likely go up. Question is if it's worth having a bug bounty program that will essentially just be receiving slop (unless you have some automated way of verifying the found issues).
Hazarding a guess, the bug bounty program will remain closed. Quality of the reports for bugs/vulnerabilities will probably go up.
3 months ago I watched this guy announce the end of the bug bounty program due to slop on stage. Have the tools gotten that much better, or is it just that without the profit motive, people are spending more time separating the real vulns from the slop?
I don't know, but I would guess a little of both. Finding a security vulnerability in curl would be a big deal for anyone professionally. So unfortunately low effort scan that clogs up the security teams time was probably the main reason for stopping the bug bounty program. If all the issues posted had been for real vulnerabilities I would hope they'd be scrambling to patch them and kept the program running. In addition Mythos is apparently very capable (we have to trust anthropics word on this since there's no way for us mortals to verify it). Given the capability of the models have improved the quality of the reported issues would likely go up. Question is if it's worth having a bug bounty program that will essentially just be receiving slop (unless you have some automated way of verifying the found issues).
Hazarding a guess, the bug bounty program will remain closed. Quality of the reports for bugs/vulnerabilities will probably go up.