GNU social JP
  • FAQ
  • Login
GNU social JPは日本のGNU socialサーバーです。
Usage/ToS/admin/test/Pleroma FE

  • Public

    • Public
    • Network
    • Groups
    • Featured
    • Popular
    • People

Conversation

Notices

  1. Embed this notice
    Lukasz Olejnik (lukaszolejnik@mastodon.social)'s status on Monday, 05-May-2025 18:56:07 JST Lukasz Olejnik Lukasz Olejnik

    AI vulnerability/bug founds and reports is a huge problem. Curl has banned the use of AI-generated submissions via HackerOne because none of it made any sense, and is a waste of resources and time. "We are effectively being DDoSed. If we could, we would charge them for this waste of our time" https://hackerone.com/reports/3125832

    In conversation about 8 days ago from mastodon.social permalink

    Attachments


    1. https://files.mastodon.social/media_attachments/files/114/454/277/293/207/426/original/d4f09be134e938bc.png
    2. Domain not in remote thumbnail source whitelist: profile-photos.hackerone-user-content.com
      curl disclosed on HackerOne: HTTP/3 Stream Dependency Cycle Exploit
      **Penetration Testing Report: HTTP/3 Stream Dependency Cycle Exploit** --- # **0x00 Overview** A novel exploit leveraging stream dependency cycles in the HTTP/3 protocol stack was discovered, resulting in memory corruption and potential denial-of-service or remote code execution scenarios when used against HTTP/3-capable clients such as `curl` (tested on version 8.13.0). This report details...
    • waifu likes this.
    • Embed this notice
      Elias Mårtenson (loke@functional.cafe)'s status on Tuesday, 06-May-2025 01:06:28 JST Elias Mårtenson Elias Mårtenson
      in reply to

      @LukaszOlejnik If I click on the reporter's username, there is a list of "closed bugs" together with dollar amounts. Is this money paid out?

      If so, the slop is profitable, so it won't go away.

      In conversation about 8 days ago permalink
    • Embed this notice
      Rich Felker (dalias@hachyderm.io)'s status on Tuesday, 06-May-2025 01:07:42 JST Rich Felker Rich Felker
      in reply to
      • Elias Mårtenson
      • Alun Jones

      @loke @ftp_alun @LukaszOlejnik There should be a cost to have more than a small number of outstanding reports, non refundable if any of them are found to be fraudulent.

      In conversation about 8 days ago permalink
      Haelwenn /элвэн/ :triskell: likes this.
    • Embed this notice
      Alun Jones (ftp_alun@infosec.exchange)'s status on Tuesday, 06-May-2025 01:07:43 JST Alun Jones Alun Jones
      in reply to
      • Elias Mårtenson

      @loke @LukaszOlejnik You've heard of beg bounty, maybe the next thing is microbegging. As long as it's cheap to submit plausible-sounding bugs, people will do so in the hope that one in a hundred will pay a hundred bucks to make the reporter just quietly piss off.
      I say report them as spam, and block them, if the program has that option.

      In conversation about 8 days ago permalink
      Haelwenn /элвэн/ :triskell: likes this.
    • Embed this notice
      Elias Mårtenson (loke@functional.cafe)'s status on Tuesday, 06-May-2025 01:07:43 JST Elias Mårtenson Elias Mårtenson
      in reply to
      • Alun Jones

      @ftp_alun @LukaszOlejnik Seems like it. Since it's basically free to send out an uncountable number of reports, there is no limit to the number of reports you can send. On the receiving end, there's a lot of work though, but that's not their problem.

      In conversation about 8 days ago permalink

Feeds

  • Activity Streams
  • RSS 2.0
  • Atom
  • Help
  • About
  • FAQ
  • TOS
  • Privacy
  • Source
  • Version
  • Contact

GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.

Creative Commons Attribution 3.0 All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.