To: Alex Rice HackerOne CTO
Hi again,
The level of input crap keeps increasing - both with and without the use of AI. We are now discussing completely dropping our bug-bounty as a means to perhaps slow down the flood.
We could really use some better tools from HackerOne to make it harder for slop to get filed.
@bagder I guess the simplest indicator might just be how many reports a specific user has submitted recently. I'm guessing nobody that actually does this manually submits more then 10 reports a week (unless it's a bug in a protocol that affects many implementations, but those are one-off cases).
@neverpanic @bagder HackerOne has a signal system, submitting bad reports lowers your signal. You can avoid the AI slop reports by having a signal and reputation requirement that's higher than a new user - idk if that's a paywalled feature but I've seen it on some programs. This has a bad side-effect of making it harder to submit a report as a new user but perhaps those reports could go into a low priority queue if someone was signing up to only submit one security issue to curl.
They could implement something on the triager side to tag if a report is AI generated - tools like https://quillbot.com/ai-content-detector are fairly accurate at the 95-100% mark.
Also there are people who regularly submit more than 10 valid reports a week.
They could implement something on the triager side to tag if a report is AI generated - tools like https://quillbot.com/ai-content-detector are fairly accurate at the 95-100% mark.
Also there are people who regularly submit more than 10 valid reports a week.
- replies
- 0
- announces
- 0
- likes
- 1
@bagder Shouldn't he just be as annoyed? I guess more and more bounty programs are having issues like this.
