eupolicy.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
This Mastodon server is a friendly and respectful discussion space for people working in areas related to EU policy. When you request to create an account, please tell us something about you.

Server stats:

225
active users

#curl

29 posts11 participants0 posts today
Continued thread

Abstract:

In these days of "vibe coding" and chatbots, users ask AIs for help with everything. Asked to find security problems in Open Source projects, AI bots tell users something that sounds right. Reporting these "findings" wastes everyone's time and causes much frustration and fatigue. Daniel shows how this looks, how it DDoS projects and how totally beyond crazy stupid this is. With examples and insights from the #curl project.

----

Good enough maybe?

So far in 2025, we have received 52 vulnerability reports submitted to #curl. Two per week on average.

5 have been confirmed security problems (and have been published)

11 were tagged AI slop; all banned and reported to HackerOne

15 were considered "normal bugs"

21 were deemed "not applicable" (various reasons)

You can follow along with the stream of security reports submitted to #curl by watching the ones we make public:

hackerone.com/curl/hacktivity

Per project policy, we make ALL reports public. (For practical reasons we have so far focused on getting everything submitted during 2025 disclosed. Hackerone has no method to disclose in bulk or automated, so it is a highly manual and tedious process involving a lot of clicks per single report)

HackerOneHackerOne

C mistakes among the vulnerabilities present in #curl code

(C mistakes are vulnerabilities that were caused by a mistake that "probably would not have been possible" had we not been using C for curl. Manually assessed for each case.)