AI slop and fake reports are coming for your bug bounty programs

So -called AI OP alu, money LLM-Genarated low-quality images, videos and texts, occupied the Internet by polluting in the past few years Website, Social media platformAt least A newspaperAnd even Real-World EventsThe

The world of cyberscope is also not resistant to this problem. In the past year, people in the cyberquacy industry have raised concerns about the AI OP OP Bagh Grace Report, which means reports that claim that the weaknesses that actually do not exist, because they were made with one Lounge It simply created the weakness and then it was then packaged in a professional look.

“People are receiving reports that seem reasonable, they look technically correct and RasabilA startup that develops the AI-powered bug hunters, told TechCrunch.

“It appears that it was only a hallucination. Technical details were just made by LLM,” said Ayansku.

IONNESCU, who worked to hack the company from the interior of the Mater Red Team, explained that one of the topics was designed to be helpful and to give positive feedback. “If you ask for a report it will give you a report and

“The problem that people are going on is that people are getting a lot of stuff that looks like gold but it is actually just bad,” said Ayansku.

Just in the last year, there are examples of this real-world. Protection researcher Harry Sintonne has revealed that the Open Source Protection Project Carl has received a fake report. Sintonen writes, “The attacker has badly calculated the wrongly” In a post of MastononThe “Carl can get ai op alu odor a few miles away.”

In response to the post of Sintonen, Benjamin Pifle of Open Collective, a technology platform for non -profit, D They have the same problem: their inbox is “AI flooded in garbage”.

An open source developer, who maintains the Githube Cyclonedex project, Fully pulling the grace of their bug Early this year after receiving the “almost complete AI OP report”.

TechCrunch has learned, top-bug-granted platforms, which are basically the intermediaries between the gel-hackers and agencies, who are willing to pay and reward their products and software, they are watching a spike in the AI-pronounced report, learning Techchench.

Hacker’s co-founder and senior director of the product management, Michiel Prince TechCrunch, told TechCrunch that the company had some AI OP.

“We have also increased false positiveness — the impurity that is demonstrated in real but is produced by LLM and lacking the impact of the world,” said Prince. “These low-sistened accumulations can create words that reduce the skills of the security program.”

Prince has added that “reports that contain hallucinated weaknesses, obscure technical materials or other forms of lower-consistent words are considered as spam.”

Bugcrode founder Cassie Ellis said that there are of course researchers who use AI to find buggies and write those reports that they then submit to the company. Alice said they were watching the overall increase in the submission of 500 per week.

“AI is widely used in the most submission, but it has not yet made a significant spike in the low quality ‘OP Alu’ report,” Alice told TechCrunch. “It will probably increase in the future, but it’s not yet here.”

Alice said that the bogcrode team that analyzes the submission that reports manually reviewed the machine and work flow as well as using machine learning and AI “assist”.

Other companies that operate their own bug bounty programs have also contacted Google, Meta, Microsoft and Mozilla to see if illegal reports or unmanned vulnerable reports bound by LLMS are increasing.

Firefox browser developer Majila spokesperson Damiano Demonte said that the company said “AI-exposed to illegal or low-quality bug reports,” and the report of the report rejected many reports as many reports are invalid-every month.

Mozilla’s employees reviewing bug reports for Firefox do not use AI to filter reports, because it will probably be difficult to do without risk of rejecting a valid bug report, “said in an email in Demon.

Microsoft and Meta, the companies that both have bet on AI, have refused to comment. Google did not respond to any request for comment.

Ionecu predicts that one of the solutions to the AI OP OPLu problem is to invest in AI-powered systems that can submit a filter for at least one initial review and accuracy.

In fact, on Tuesday, hacker Opened Hi TRIZE, a new trizing system that combines people and AI. According to Haceron, this new system benefits “the words of the AI protection agents to cut the words, flag duplicate and prioritize real threats”. Human analysts then take steps to legalize the reports of the bug and increase as needed.

Since hackers use growing LLMs and companies depend on AI to trigger these reports, it can be seen that which of the two AIs will prevail.