If you’re submitting a vulnerability to a public repo, that’s also your job. These slop reports that are wasting maintainers time should never have been reported. The person tasking the LLM is out of their depth and can’t be the human in the loop that verifies the vulnerability report before submitting because they don’t have the required knowledge to do that. It’s a shame, because if people who had the requisite knowledge were the ones submitting, the ratio of valid reports to noise would be way higher than 5% and open source maintainers wouldn’t be feeling burned the fuck out.
Sure, but nobody wants to do that, even at fair pay. Unpaid open source volunteer projects REALLY don’t want to do that, and risk burning out what is typically a solo main dev.
The problem is identifying which 5%. Nobody wants to filter that much AI slop.
If you’re working for a company’s cybersec, that’s your job. And a much preferable one to waiting for an attacker to do it for you.
If you’re submitting a vulnerability to a public repo, that’s also your job. These slop reports that are wasting maintainers time should never have been reported. The person tasking the LLM is out of their depth and can’t be the human in the loop that verifies the vulnerability report before submitting because they don’t have the required knowledge to do that. It’s a shame, because if people who had the requisite knowledge were the ones submitting, the ratio of valid reports to noise would be way higher than 5% and open source maintainers wouldn’t be feeling burned the fuck out.
Exactly. If you go through 100 tickets and find 5 real vulnerabilities to patch, that sounds incredibly good…
Sure, but nobody wants to do that, even at fair pay. Unpaid open source volunteer projects REALLY don’t want to do that, and risk burning out what is typically a solo main dev.