It seems that some projects pay bounties for such AI Slop reports.
This thing works by generating fake vulnerability reports. Here are some of the qualities of the HackerOne report 3125832 sent to #curl:
It looks convincing at a glance, especially if you're not a subject matter expert.
It's vague about actual repro steps. It makes it impossible for the victim project to reproduce the issue. For example, it makes up fake patches against non-existent, imaginary code.
It refers to functions and methods that do not exist (in case someone tries to look for them). When confronted, the attacker refer to some old or new versions of components, using non-existent commit hashes.
The report makes up some convincing functionality or names that are novel, but don't really exist.
An expert’s look at the report shows the number of discrepancies, but finding them takes time and effort. It requires attention from a subject matter expert, with limited resources.
The real exploit here is that the attacker (evilginx) exploits the fact that the victims (the orgs who paid the attacker money) don't have the capacity to perform thorough analysis and rather just pay up. TL;DR: It's cheaper to pay the bug bounty than hire an expert to perform true analysis.
Why didn't it work against the curl project? The attacker miscalculated badly. Curl project is not a company and has far greater capability in security response than your average org. Also they can smell #aislop miles away.
It's only going to get worse from here. This could easily kill the whole concept of #bugbounties. Why?
Genuine researches quit in frustration as they don't get proper reward for their hard work, and see #aislop scoop the money.
Orgs/projects abandon bug bounty programs since they get mostly AI Slop reports.
Financial backing (as donations or investment) for bug bounty programs disappears as the money is paid to scammers.
I just like what they post. If I find an interesting post (usually because someone I follow boosted it), I look at the author's other posts, and if I find them interesting, I follow them.
https://infosec.exchange/@harrysintonen/114455549143577092