Well the problem is that for example curl got flooded with generated security reports where only 5% had some true security potential. So your llm will basically flood you with false positives
If 5% of the reports are genuine security vulnerabilities that they wouldn’t have found otherwise, that’s looking like a big win to me, not sure how you see it differently.
No 5% is very low compared to before AI and this still does not mean the absolute number of found bugs has risen. From my understanding it didn’t for curl.
Further it is unlikely that bugs in curl are not found. Basically everything works with curl and it’s a paid bug bounty program so a lot of security researchers are looking at it
If you’re submitting a vulnerability to a public repo, that’s also your job. These slop reports that are wasting maintainers time should never have been reported. The person tasking the LLM is out of their depth and can’t be the human in the loop that verifies the vulnerability report before submitting because they don’t have the required knowledge to do that. It’s a shame, because if people who had the requisite knowledge were the ones submitting, the ratio of valid reports to noise would be way higher than 5% and open source maintainers wouldn’t be feeling burned the fuck out.
Sure, but nobody wants to do that, even at fair pay. Unpaid open source volunteer projects REALLY don’t want to do that, and risk burning out what is typically a solo main dev.
Well the problem is that for example curl got flooded with generated security reports where only 5% had some true security potential. So your llm will basically flood you with false positives
If 5% of the reports are genuine security vulnerabilities that they wouldn’t have found otherwise, that’s looking like a big win to me, not sure how you see it differently.
No 5% is very low compared to before AI and this still does not mean the absolute number of found bugs has risen. From my understanding it didn’t for curl. Further it is unlikely that bugs in curl are not found. Basically everything works with curl and it’s a paid bug bounty program so a lot of security researchers are looking at it
The problem is identifying which 5%. Nobody wants to filter that much AI slop.
If you’re working for a company’s cybersec, that’s your job. And a much preferable one to waiting for an attacker to do it for you.
If you’re submitting a vulnerability to a public repo, that’s also your job. These slop reports that are wasting maintainers time should never have been reported. The person tasking the LLM is out of their depth and can’t be the human in the loop that verifies the vulnerability report before submitting because they don’t have the required knowledge to do that. It’s a shame, because if people who had the requisite knowledge were the ones submitting, the ratio of valid reports to noise would be way higher than 5% and open source maintainers wouldn’t be feeling burned the fuck out.
Exactly. If you go through 100 tickets and find 5 real vulnerabilities to patch, that sounds incredibly good…
Sure, but nobody wants to do that, even at fair pay. Unpaid open source volunteer projects REALLY don’t want to do that, and risk burning out what is typically a solo main dev.