this post was submitted on 24 Apr 2026
231 points (97.9% liked)

Technology

84069 readers
4773 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
231
Nextcloud stops bug bounty program due to increase of low-effort AI-generated reports (discuss.privacyguides.net)
submitted 17 hours ago by mesamunefire@piefed.social to c/technology@lemmy.world
19 comments fedilink hide all child comments
 

Nextcloud has joined a growing list of projects, including Curl, that have ended their bug‑bounty partnerships with HackerOne due to an unmanageable surge of low‑effort, AI‑generated security reports. I received the fol…

top 19 comments
sorted by: hot top controversial new old
[–] mlg@lemmy.world 6 points 7 hours ago

I don't want to shame the user, but there was a recent discussion thread on npmplus where someone was using a compose file generated by an LLM and was confused why the hallucinated env variables weren't working.

The kicker is that npmplus literally gives you a comprehensive and complete compose file with every optional setting commented out with a brief description, so you can just copy and edit to your desire.

Which of course the LLM decided to ignore anyway and come up with its own config options lol.

On a somewhat related note, I feel like bug bounties these days have become sort of under subsidized for well developed applications. All the medium and lower findings payouts are pretty fair, but lots of the high/critical bounties seem a lot less than what I would expect, especially compared to some of the huge prize pools I've seen at some conventions (upwards of 50k USD).

I have no idea how much they fetch on the black market, but it seems weird to me that something like an RCE receives less than 10k, which could easily be utilized by some APT to net millions in a more sophisticated ransomware attack.

[–] darklamer@feddit.org 67 points 16 hours ago (4 children)

I too have started to receive such PRs to review and it's soul crushing.

– I don't understand what you were thinking here, these changes make no sense to me, could you please be so kind and explain to me why you think this would be an improvement?

– I don't know, the LLM just suggested it.

[–] artyom@piefed.social 6 points 9 hours ago (1 children)

Why do they do this?

[–] musket528@sopuli.xyz 8 points 8 hours ago (1 children)

they think that github "contributions" will help them to escape unemployment

[–] artyom@piefed.social 2 points 6 hours ago* (last edited 6 hours ago)

What if they don't use GitHub?

[–] timbuck2themoon@sh.itjust.works 19 points 12 hours ago (2 children)

What I don't get is- these people are disingenuous or actually think theyre helping.

Helping how? The owner of the repo can submit code to your bullshit machine the exact same way. What value are you producing?

[–] SaharaMaleikuhm@feddit.org 9 points 9 hours ago

The people doing this feel like it was their doing because they control the machine basically. This craving to produce something is strong in the ones who have no skills of their own. That's why these PRs only ever come from absolutely incompetent buffoons.

[–] darklamer@feddit.org 8 points 10 hours ago (1 children)

This remains a great mystery to me. As far as I can see, all they achieve is to waste time and resources for everyone involved, including themselves, without creating anything of value to anyone. It's truly baffling.

[–] SaharaMaleikuhm@feddit.org 4 points 9 hours ago

It makes them feel good. Like they done something positive. It's utterly pathetic and I despise these people with no skills, no ability to create anything of their own.

[–] mesamunefire@piefed.social 34 points 16 hours ago* (last edited 15 hours ago) (2 children)

I maintain a library that is used quite a bit and I had to turn off github issues because AI bots are trying to push reporting security vulns...in a library that has no dependencies. Or AI that is setup to waste time by asking pointless questions that do not pertain to the library. The library is literally two files. Technically 3 if you include the tests.

I moved my library over to codeberg recently. So much better of an experience. Its really too bad, I have 15+ years in Github but the AI bots are going to push me out.

[–] OwOarchist@pawb.social 16 points 10 hours ago

I moved my library over to codeberg recently. So much better of an experience. Its really too bad, I have 15+ years in Github but the AI bots are going to push me out.

If AI can finally kill Github and get repos to move to open-source alternatives, maybe AI isn't that bad after all.

[–] vividspecter@aussie.zone 10 points 12 hours ago (1 children)

Hopefully forgejo will have federation released soon which will make interacting across projects easier. Although maybe that will just encourage the bots to use it, so can't win really.

[–] WhyJiffie@sh.itjust.works 4 points 7 hours ago

I think there can be a difference. github encourages this behavior, even provides the tools for it. but if the forgejo community stands strongly against it from the beginning (users reporting true slop, moderators deleting and banning them, admins defederating from intentional slop sources), then maybe that kind will stay away from the platform

[–] mnemonicmonkeys@sh.itjust.works 13 points 15 hours ago (4 children)

At what point do you just ban the mf from making PR's?

[–] OwOarchist@pawb.social 6 points 10 hours ago

Doesn't matter. 100 more just like him are coming tomorrow.

[–] darklamer@feddit.org 16 points 15 hours ago (1 children)

What makes you think that I didn't?

[–] frongt@lemmy.zip 9 points 14 hours ago

There are dozens more every day.

[–] naught101@lemmy.world 5 points 14 hours ago

Every day from now until infinity