‘Never-ending’ AI slop strains corporate hacking reward schemes - FT中文网
登录×
电子邮件/用户名
密码
记住我
请输入邮箱和密码进行绑定操作:
请输入手机号码,通过短信验证(目前仅支持中国大陆地区的手机号):
请您阅读我们的用户注册协议隐私权保护政策,点击下方按钮即视为您接受。
FT商学院

‘Never-ending’ AI slop strains corporate hacking reward schemes

‘Bug bounty’ programmes have seen a jump in spurious AI-generated submissions
00:00

{"text":[[{"start":7.65,"text":"Companies that pay hackers to find flaws in their software are being inundated with low-quality reports generated by AI, forcing some to suspend the programmes altogether. "}],[{"start":18.85,"text":"Businesses that run “bug bounty” schemes have long relied on independent security researchers to spot vulnerabilities. But the rise of AI tools is now overwhelming them with spurious submissions. "}],[{"start":30.950000000000003,"text":"Bugcrowd, whose customers include OpenAI, T-Mobile and Motorola, said the number of reports it received more than quadrupled over a three-week period in March, with most proving to be false. "}],[{"start":43.900000000000006,"text":"Curl, a widely used tool to transfer data across the internet, suspended its paid bug bounty programme in January, citing an “explosion in AI slop reports” and lower-quality submissions. "}],[{"start":55.300000000000004,"text":"Cyber security experts say advances in generative AI are reshaping the economics of bug bounty programmes. While the tools allow experienced researchers to find flaws more quickly, they are also lowering the barrier to entry, triggering a flood of automated or erroneous submissions that companies must sift through."}],[{"start":null,"text":"

The Nextcloud logo displayed on a smartphone screen, with blurred colored lights in the background.
"}],[{"start":75,"text":"The big increase in poor-quality AI reports was “quickly becoming a major problem”, said Ross McKerchar, chief information security officer at cyber security group Sophos. “Bug bounties are going to stay [but] they’re going to have to change,” he said."}],[{"start":89.95,"text":"Bug bounties have grown in popularity since the early 2000s, with schemes offering six-figure payouts for the biggest discoveries. Google’s programme disbursed a total of $17mn last year, up from $7.5mn in 2021. It paid its largest individual reward of $605,000 in 2022 to a user who spotted a vulnerability in its Android mobile operating system."}],[{"start":118.2,"text":"McKerchar said the rise in poor-quality submissions came from both amateurs trying to find bugs for the first time and existing researchers who were “sometimes getting led on by the [AI] agents”. "}],[{"start":130.4,"text":"He added there was a “third cohort” of “experienced AI builders” who had developed automated “end-to-end scanning and submission systems” that were “creating absolute carnage”."}],[{"start":142.35,"text":"Curl’s creator Daniel Stenberg wrote in a blog post that the “never-ending slop” had taken “a serious mental toll to manage and sometimes also a long time to debunk”."}],[{"start":153.6,"text":"Software group Nextcloud suspended its bug bounty programme in April because of the “massive increase of low-quality reports”. It said it hoped to resume the programme once it had found a way to filter submissions effectively."}],[{"start":167.5,"text":"The surge in AI-generated reports comes as Anthropic last month launched Mythos, its new cyber AI model, which it says can find software flaws faster than humans."}],[{"start":178.3,"text":"Companies running bounty bug programmes have started to introduce more stringent background checks to combat the problem, as well as building AI agents to triage submissions. "}],[{"start":188.20000000000002,"text":"HackerOne, whose bug-reporting platform serves Goldman Sachs, Google and the US Department of Defense, said it had “introduced new agentic validation capabilities” this year to “help organisations manage high volumes of findings”, such as those generated by models like Mythos."}],[{"start":205.10000000000002,"text":"The company said submissions had jumped 76 per cent in the year to March. But it said the share of reports flagging legitimate vulnerabilities had remained steady over the past year at 25 per cent."}],[{"start":217.00000000000003,"text":"HackerOne chief executive Kara Sprague said it had in recent weeks seen a rise in “higher quality” reports that had used AI. She added that the rise in AI-generated submissions was “not a strong reason to say we don’t want them” altogether, given that hackers were using the technology to spot more flaws."}],[{"start":235.85000000000002,"text":"Bugcrowd chief Dave Gerry said developments such as Anthropic’s Mythos would assist human bug bounty hunters, not replace them. “AI is going to help with a lot of things but we’re never going to replace that human creativity,” he said."}],[{"start":256.75,"text":""}]],"url":"https://audio.ftcn.net.cn/album/a_1779001094_2483.mp3"}

版权声明:本文版权归FT中文网所有,未经允许任何单位或个人不得转载,复制或以任何其他方式使用本文全部或部分,侵权必究。

科学家提议发射微型卫星在太空“嗅探”核武器

这一构想有助于应对地球周边轨道日益拥挤所带来的冲突风险。

中国宣称首次用海上浮动网捕捉火箭助推器

中国官方媒体称,这次成功测试标志着用于太空飞行的可重复使用火箭技术又向前迈出一步。

西班牙固若金汤的世界杯防线的秘密

尽管战术要求所有非门将球员都压到对方半场,斗牛士军团在本届赛事中仍然保持零失球。

想最快知道世界杯比分?听传统收音机

BBC和英国独立电视台正探索新技术,以减少令体育赛事观众不满的直播延迟。

探秘叫停美国红牌的国际足联神秘委员会

对美国球星福拉林•巴洛贡的禁赛做出暂缓执行决定的机构,由一名阿联酋前议员领导,他有权单方面作出裁决。

孙正义按自己的构想重塑软银

这位资深投资者已将自己置于全球AI热潮的中心,一些人认为他如今掌控的权力过大。
设置字号×
最小
较小
默认
较大
最大
分享×