new | ask | show | jobs
Goofy_Coyote 7 hours ago  [ - ]

Security Eng here. The whole thing is an absolute mess. I’ve been (and still am) on both sides of the fence.

I currently have two reports (one RCE on a famous OSS ML platform, one cluster take over on a k8s related projects), both are more than 2 months old without as much as an “F you, get lost”. Just got ignored and ghosted, which hurts a lot, because I spent a lot of time finding, and verifying these (all reports with poc and patch). BUT I understand why it’s happening, because I’m also on the receiving end.

security@ and VDPs have always received BS reports and beg-bounties, but boy oh boy, these days we have two people spending 3-4 days a week sifting through this constant flood of garbage compared to 2-3 tears ago where 1 person could triage the inbox and VDP in a day’s work max, which would’ve been considered very busy. Unfortunately we can’t just shutdown the programs or the mailbox because 1. We do occasionally get important and great stuff that actually matters, and 2. We’re a critical infra company and can’t ignore anything really.

The signal to noise ratio is almost zero, but the “what if” is keeping us swimming through this unending river of garbage and burning us out.

Overall, chaotic mess on both sides.

Ending on a doom-and-gloom note: there will be a reckoning.

(Don’t take the note too seriously though, I’m a SecEng, so I have a built-in doom multiplier lol)

Retr0id 5 hours ago  [ - ]

I reported a fun security bug to Google recently (not high in CVSS terms but will probably make the HN front page when it goes public), and the report was auto-closed in minutes as "not reproducible". If they tried to use an LLM to reproduce it I'm not surprised, since it requires a soldering iron.

Having seen the other side of a security inbox I totally get it, and fortunately I was able to get it re-opened via backchannels. I think the future of bug reporting will run almost exclusively on reputation and connections.

PaulStatezny 6 hours ago  [ - ]

> Ending on a doom-and-gloom note: there will be a reckoning.

Can you elaborate on what you mean by this?

philipwhiuk 5 hours ago  [ - ]

I imagine:

AI vulnerability analysis is going to find something, it will be reported by a researcher and ignored as chaff, and then separately, later, someone will build it into an exploit and compromise a piece of critical national infrastructure

-mlv 6 hours ago  [ - ]

Have you considered using LLMs to perform some automated more-or-less reliable classification of incoming reports by severity, affected product, etc., then have agents try to replicate the reported findings?

Ideally the reports would also be coming in in the same structured format.