Vulnerability reports are not special anymore

Original Article ↗ Hacker News Discussion ↗

Scale and Nature of Vulnerability-Report Spam

  • Many companies now receive multiple unsolicited reports per week/day, often clearly AI-generated, low quality, or extortion-adjacent.
  • Common patterns: trivial CSS/UI issues, misclassified “critical” findings, or reporting intended behavior as vulnerabilities.
  • Maintainers and security teams report burnout and consider shutting down or tightening programs (e.g., banning AI-written reports, requiring video PoCs, adding “turtle123”-style hidden tokens).

Bug Bounties, Incentives, and Legal Risk

  • Suggestions to deter spam: small per-report fees (possibly non-refundable), micro-paywalls for contact forms, or strict rules.
  • Concerns: misaligned incentives (companies may reject valid bugs to avoid paying), accounting/legal complexity of keeping fees, and chilling effects because payments can deanonymize researchers and increase perceived arrest risk.
  • Some researchers recount being ignored or under-rewarded even for nontrivial DoS/RCE-style issues.

CVE Fatigue and Dependency Hell

  • Many complain about CVE overload, especially high-severity ratings for low-impact issues (e.g., ReDoS in build/dev tools, obscure file formats).
  • Dependabot and scanners create large volumes of alerts, including for dev dependencies; teams struggle to separate real risk from noise.
  • Counterpoint: dev and build dependencies are genuine attack vectors (e.g., supply chain, exfiltration from dev/CI systems), especially in regulated sectors.
  • Resulting patterns: some auto-merge all updates; others batch updates or attempt to minimize dependency graphs.

LLMs in Security: Capability and Limitations

  • Consensus: LLMs greatly lower the cost of finding many shallow or pattern-based bugs and also generate large volumes of false or overstated reports.
  • Some see LLMs as at or near “average” low-effort researchers for certain classes of bugs; others call that claim exaggerated and insulting.
  • Several orgs now use LLMs to triage incoming reports, classify severity, or filter spam; others propose agentic tooling to auto-audit and even patch code.
  • Skeptics stress “jagged” intelligence: models can miss hard bugs, hallucinate issues, and cannot yet provide reliable last-mile impact analysis.

Are Vulnerability Reports Still Special?

  • One side: vulnerabilities remain fundamentally different from ordinary bugs; confidentiality and coordination are even more important now that patches are easier to weaponize.
  • Other side: the correlation between “security report” and “real, impactful vulnerability” has collapsed, making reports feel like just more noisy bug tickets.
  • Many argue that the scarce resource is no longer bug-finding but trustworthy triage and demonstration of real-world impact.

Security Practice, Formal Methods, and Culture

  • Some advocate moving toward memory-safe languages, formal methods, and stronger spec-level reasoning; others note undecidability and high cost limit full verification.
  • There is tension between “perfect security or failure” vs. pragmatic risk management and defense-in-depth.
  • Several emphasize the role of trust relationships with known researchers, better incentives, and more professional, less adversarial interaction between security and engineering.

Future Outlook (Unclear and Contested)

  • One view: current “vulnpocalypse” is temporary; LLMs will chew through easy bugs, then be integrated pre-release, reducing external reports.
  • Counterview: LLMs will also amplify insecure code creation, and many orgs will never adopt robust pre-release scanning, so volume and noise will remain high.
  • Some predict public bounty programs will shrink or close due to slop, pushing security work toward trusted networks and internal or curated programs.