| I think looking at one example is useful: https://hackerone.com/reports/2823554 What they did was: 1) Prompt LLM for a generic description of potential buffer overflows in strcopy() and a generic demonstration code for a buffer overflow. (With no connection to curl or even OpenSSL at all) 2) Present some stack traces and grep results that show usage of strcopy() in curl and OpenSSL. 3) Simply claim that the strcopy() usages from 2) somehow indicate a buffer overflow, with no additional evidence. 4) When called out, just pretend that the demonstrator code from 1) were the evidence, even though it's obvious that it's just a textbook example and doesn't call any code from curl. It's not that they found some potentially dangerous code in curl and didn't go all the way to prove an overflow, which could have at least some value. The entire thing is just bullshit made to look like a vulnerability report. There is nothing behind it at all. Edit: Oh, cherry on top: The demonstrator doesn't even use strcopy() - nor any other kind of buffer overflow. It tries to construct some shellcode in a buffer, then gives up and literally calls execve("/bin/sh")... |
The worst part is that once they are asked for clarifications by the poor maintainers, they go on offense and become aggressive. Like imagine the nerve of some people, to use LLMs to try to gaslight an actual expert that they made a mistake, and then act annoyed/angry when the expert asks normal questions