"The big increase in poor-quality AI reports was "quickly becoming a major problem," said Ross McKerchar, chief information security officer at cyber security group Sophos. "Bug bounties are going to stay [but] they're going to have to change," he said."
Bug bounty programs that pay independent researchers to find software vulnerabilities are receiving rapidly increasing volumes of low-quality submissions generated with AI tools. Bugcrowd reported that reports more than quadrupled over a three-week period in March, with most proving false. Curl suspended its paid bug bounty program in January, citing an explosion in AI slop reports and lower-quality submissions. Cybersecurity experts say generative AI changes the economics of bug bounties by speeding up experienced researchers while lowering the barrier to entry for automated or erroneous submissions. Companies must spend more time filtering results, and some are suspending programs or planning changes. The problem comes from both new amateurs and existing researchers being misled by AI agents.
Read at Ars Technica
Unable to calculate read time
Collection
[
|
...
]