this post was submitted on 24 Apr 2026
244 points (98.0% liked)

Technology

84069 readers
4773 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
244
Nextcloud stops bug bounty program due to increase of low-effort AI-generated reports (discuss.privacyguides.net)
submitted 21 hours ago by mesamunefire@piefed.social to c/technology@lemmy.world
19 comments fedilink hide all child comments
 

Nextcloud has joined a growing list of projects, including Curl, that have ended their bug‑bounty partnerships with HackerOne due to an unmanageable surge of low‑effort, AI‑generated security reports. I received the fol…

you are viewing a single comment's thread
view the rest of the comments
[–] mlg@lemmy.world 6 points 10 hours ago

I don't want to shame the user, but there was a recent discussion thread on npmplus where someone was using a compose file generated by an LLM and was confused why the hallucinated env variables weren't working.

The kicker is that npmplus literally gives you a comprehensive and complete compose file with every optional setting commented out with a brief description, so you can just copy and edit to your desire.

Which of course the LLM decided to ignore anyway and come up with its own config options lol.

On a somewhat related note, I feel like bug bounties these days have become sort of under subsidized for well developed applications. All the medium and lower findings payouts are pretty fair, but lots of the high/critical bounties seem a lot less than what I would expect, especially compared to some of the huge prize pools I've seen at some conventions (upwards of 50k USD).

I have no idea how much they fetch on the black market, but it seems weird to me that something like an RCE receives less than 10k, which could easily be utilized by some APT to net millions in a more sophisticated ransomware attack.