19
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 14 Jul 2025
19 points (100.0% liked)
TechTakes
2096 readers
41 users here now
Big brain tech dude got yet another clueless take over at HackerNews etc? Here's the place to vent. Orange site, VC foolishness, all welcome.
This is not debate club. Unless it’s amusing debate.
For actually-good tech, you want our NotAwfulTech community
founded 2 years ago
MODERATORS
The curl Bug Bounty is getting flooded with slop, and the security team is prepared to do something drastic to stop it. Going by this specific quote, reporters falling for the hype is a major issue:
Reading through some of the examples at the end of the article it’s infuriating when these slop reports have opened and when the patient curl developers try to give them benefit of the doubt the reporter replies with “you have a vulnerability and I cannot explain further since I’m not an expert”. Oh but for sure it’s broken and you are expert enough to know? One of the examples the reporter kept replying with how a strcpy() could be unsafe and the curl devs were kindly explaining that yes in general that function has potential for issues but their usage was not such a case. Reporter just repeats without paying attention. Insanity.
I love working in systems writing C and assembly but I’ve grown many gray hairs over the years being yelled at that “C is the worst” or “lol memory bug” or the classic “this thing isn’t working perfectly for me so it must have been written in C and we need to rewrite it entirely in (alpha) language which is for sure better than the collective centuries of expertise in C existing now”. These LLMs sure do amplify these obnoxious voices because now the fancy chatbot says so.
At that point, I feel the team would be justified in telling these slop-porters to go fuck themselves and closing the report - they've made it crystal clear they're beyond saving.
(And on a wider note, I suspect the security team is gonna be a lot less willing to give benefit of the doubt going forward, considering the slop-porters are actively punishing them for doing so)
It’s unfortunate that the bug bounty payout removal is probably the best immediate remedy for some filtering but with curl being everywhere resume padders are still going to rush to generate slop reports or patches. I hope they are more fast and direct with communication as well. Their current patience and politeness is admirable.