Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
“The world’s issues are very complex and real, but criminals still make up a lot of the activities that organizations do and many of those activities are very serious,” Hultquist adds. “The use of zero-day by criminals is limited, and those who use it are successful, so I think we should not underestimate the problems of many criminals who have a zero-day in their hands.”
For researchers who make money through bug hunting, however, times are changing. The command-line tool Curl ended its bug bounty program (running HackerOne’s third project) in January after it was flooded with low-quality AI-generated scripts.
“We have determined the hard way that high risk provides people with a very strong incentive to seek and find ‘problems’ in bad faith that lead to exaggeration and abuse,” the group said. he wrote at the time, adding that “we continue to appreciate and appreciate the official reports of the threat.”
Last week, Linux developer and leading developer Linus Torvalds he wrote that the popular Linux mailing list has become “unmanageable” due to the high volume and repetition of AI bug reports.
In April, however, Daniel Stenberg, founder and CEO of Curl, said in a LinkedIn post post that the quality of the provisions has improved. “Over the last few months, we have stopped receiving AI safety reports in the curling service,” he wrote. “Instead we get more and more reports of excellent security, almost all done with the help of AI. They are delivered with an unprecedented frequency and put us at great risk.”
And at the end of April, Google he announced that it was revising its Vulnerability Reward Programs for Chrome and Android and lowering the rewards for some categories of bugs, and adding others.
The company wrote: “As security research expands with AI, we are adapting our software to ensure that we are benefiting from the highest risk of damage to our products,” the company wrote.
“I think 90 highly skilled bug hunters can always find what they’re looking for and get paid by big companies,” says Jonathan Dunn, a cardiologist and bounty hunter. “But even with AI, we still need to encourage ethical researchers to find things about social security and other complex systems that might not get enough attention from conservationists.”
At this point, many organizations seem willing to throw any method they can think of at the problem (and profit) of early detection of the virus. “This is changing the way the bug-hunting industry works, but it still requires a lot of human time,” said Alex Zenla, chief technology officer at cloud security firm Edera.
Earlier this month, Anthropic launched a HackerOne bug good for researchers to present their findings on the company’s systems and Claude AI models. However, more and more, some researchers argue that system security is necessary to improve the detection of threats. In other words, they are creating digital solutions for different types of problems eliminate them or make them less usable in practice.
“You can’t solve the problem,” said Niels Provos, a longtime security researcher. “You have to create an architecture that makes a lot of bugs unnecessary.”
