Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
“Nation-state issues are very serious and very real, but criminal actors still make up the vast majority of incidents that organizations deal with and many of those incidents are very serious,” Hultquist adds. “The use of zero-days by criminal actors has been fairly limited, and those who use them tend to be really successful, so I think we shouldn’t underestimate the impact of more criminals having zero-days on their hands.”
But for researchers who make money by catching insects, times are changing. The command-line tool Curl ended its bug bounty program (run by third-party service HackerOne) in January after it was inundated with low-quality AI-generated submissions.
“We found out the hard way that bug bounty gives people very strong incentives to find ‘issues’ and make them up in bad faith that causes overload and abuse.” books at the time, adding, “We still appreciate and value valid vulnerability reports.”
Last week, Linux creator and lead developer Linus Torvalds books A popular security mailing list for Linux has become “almost completely unmanageable” due to high volume and duplicate AI bug reports.
In April, Daniel Steinberg, founder and lead developer of Curl, said on LinkedIn mail The quality of submissions has improved. “Over the past few months, we have stopped receiving security reports about AI vulnerabilities in Project Curl,” he wrote. “Instead, we’re getting an increasing number of really good security reports, almost all of it with the help of AI. They’re being delivered at an unprecedented pace and putting us under a serious burden.”
And at the end of April, Google Announce They fix the vulnerability bounty programs for Chrome and Android and reduce payouts for some categories of bugs, while increasing others.
“As the landscape of security research with AI evolves, we are making changes in our programs to ensure we reward the most challenging and impactful vulnerabilities in our products,” the company wrote.
“I think the 90th percentile of bug bounty hunters with special skills will always be able to get results and get compensation from big companies,” says Jonathan Dunn, a cardiologist who is also a bug bounty hunter. “But even with AI, we also need to greatly incentivize ethical researchers to find things about public infrastructure and other critical systems that may not get enough attention from advocates.”
Right now, most organizations seem willing to throw out every solution they can think of to solve the problem (and benefit) of rapid error detection. “This changes the dynamics of the bug hunting industry, but it still requires human time,” says Alex Zinla, chief technology officer at cloud security company Edera.
Earlier this month, Anthropic launched a HackerOne Bug Bounty For researchers to present findings on the company’s own systems and CLOUD AI models. However, some researchers increasingly see structural defenses as necessary to address the acceleration of vulnerability discovery. In other words, they design digital solutions for different categories of vulnerabilities Eliminate them Or make them significantly less exploitable in practice.
“You can’t patch your way out of this,” says Nils Provos, a security engineer and longtime researcher. “You need to create an infrastructure that makes as many errors as possible irrelevant.”
