Hacker News new | ask | show | jobs
by naturalmovement 8 days ago
Security is a bit different.

Today it's an industry driven by unscrupulous clout-chasers and a commitment to quantity over quality.

There is a difference between going through patches and pull requests vs. the endless stream of LLM-assisted bullshit that has started cluttering security inboxes in the last few years.
1 comments
tptacek 8 days ago
Vulnerability researchers don't create the vulnerabilities they report. The vulnerabilities exist whether or not they're reported by "clout chasers".
link
dspillett 8 days ago
There is a difference between a proper vulnerability researcher and a clout chaser calling themselves a vulnerability researcher. Research for a start, to assess the problem to see if it is genuine and if so if there are significant mitigating factors (by default or that can be implemented), and checking if it hasn't already been reported, instead of just copypasting some LLM output with minimal review. And to many clout chasers everything they find is a grade A world wrecking highest possible priority "if you don't drop everything else and fix this now you are a kitten murderer and I'm going to release the information to the world in 24 hours" level issue (they know this because they suggested it to an LLM and it told them they were so right).
link
tptacek 8 days ago
No there isn't. The vulnerability is either real or it isn't. How you feel about the researchers doesn't enter into it. People angry about vulnerability research have been making this argument since 1992.
link
dspillett 7 days ago
> No there isn't.

Yes there is, because:

> The vulnerability is either real or it isn't.

this, exactly: sometimes the vulnerability isn't, or isn't a fraction as serious as it is made out to be because it doesn't affect any sane configuration. And the project contributors don't know this until they've wasted time looking into it, time that could be spent looking into actual serious problems.

The extra problem right now is several people/groups dropping the same set of vulnerabilities with not coordination because they've got this great new tool to garner attention and want to be first. So projects have several things to look into that turn out to be exactly the same thing.

link
tptacek 7 days ago
I have no idea what you mean by a "proper" vulnerability researcher and I find the concept faintly offensive. But what do I know?
link
akerl_ 7 days ago
Nobody is obligating open source maintainers to accept or read these reports.
link
dspillett 7 days ago
Plenty of people will loudly state that they are irresponsible for not looking into the reports that they send, so while that isn't a direct obligation it is certainly a punishment, via potential reputation damageĀ¹, for not doing so.

--------

[1] for example, see comments elsewhere in this thread saying things like "maintainers will if they care"

link