Nation-state threats are serious, but most incidents organizations handle come from criminal actors, including many highly serious cases. Zero-day exploitation by criminals has been limited, yet successful use can have major impact. Bug hunting monetization is changing as AI increases low-quality submissions, causing overload and bad-faith reporting incentives. Curl ended its bug bounty program after being inundated with AI-generated low-quality reports, while still valuing valid vulnerability reports. The Linux security mailing list became nearly unmanageable due to high-volume duplicate AI bug reports. Later, Curl reported improved submission quality, with many strong reports submitted frequently with AI assistance. Google overhauled vulnerability reward programs for Chrome and Android, lowering payouts for some bug classes and increasing others.
"“Nation state issues are very serious and very real, but criminal actors still make up the vast majority of incidents that organizations deal with and many of those incidents are quite serious,” Hultquist adds. “Zero-day use by criminal actors has been fairly limited, and the ones that do use them tend to be really successful, so I think we shouldn't underestimate the impact of more criminals with a zero day in their hands.”"
"“We have concluded the hard way that a bug bounty gives people too strong incentives to find and make up 'problems' in bad faith that cause overload and abuse,” the group wrote at the time, adding that “we still appreciate and value valid vulnerability reports.”"
"“We have concluded the hard way that a bug bounty gives people too strong incentives to find and make up 'problems' in bad faith that cause overload and abuse,” the group wrote at the time, adding that “we still appreciate and value valid vulnerability reports.”"
"“Over the last few months, we have stopped getting AI slop security reports in the curl project,” he wrote. “Instead we get an ever-increasing amount of really good security reports, almost all done with the help of AI. They're submitted in a never-before seen frequency and put us under serious load.”"
#cybersecurity #nation-state-threats #zero-day-vulnerabilities #bug-bounty-programs #ai-generated-security-reports
Read at WIRED
Unable to calculate read time
Collection
[
|
...
]