The problem as I understand it is that people are starting to figure out how to make use of LLMs to uncover all the zero days with such efficiency that they're being flooded with bounty claims to the point where it's logistically unrealistic to pay out on all of them. Take my account with a grain of salt though, as that's just rumblings I hear around the sysadmin forums.
Or.... hear me out: The dalit caste that's taken over Microsoft thinks they don't have to pay, bathe, properly dispose of their trash, poo in the loo, etc.
It can be more than one thing going horribly wrong at the same time and I absolutely blame jeets for a lot of Microsoft's decline over the last decade.
Not without a lot of other software to give it access to whatever OS you are testing. Gemini can't even directly access google docs yet, let alone your C drive, networked machines, or virtual machines.
if your argument is that Claude can't operate as a full-fledged autonomous pen tester and do the whole job for you, that's true. but any competent engineer should be able to find some productivity boost from it.
An LLM wouldn't really be the right tool. But some of the black-box fuzzing tools out there were already using machine learning approaches before the "AI boom" happened.
I'm sure someone's found a way to apply agentic shit to it.
not relevant. the point of bug bounties is that you're basically paying off people who might be tempted to use those vulnerabilities against you, getting them to tell you first instead of the world.
stop paying, and they take their information to the next highest bidder.
The problem as I understand it is that people are starting to figure out how to make use of LLMs to uncover all the zero days with such efficiency that they're being flooded with bounty claims to the point where it's logistically unrealistic to pay out on all of them. Take my account with a grain of salt though, as that's just rumblings I hear around the sysadmin forums.
Or.... hear me out: The dalit caste that's taken over Microsoft thinks they don't have to pay, bathe, properly dispose of their trash, poo in the loo, etc.
It can be more than one thing going horribly wrong at the same time and I absolutely blame jeets for a lot of Microsoft's decline over the last decade.
The dalits ARE the jeets. They're the lowest class of jeet according to their own culture.
Oh yeah, a $3 trillion company is finding it "logistically unrealistic" to pay.
There is zero evidence this is happening. Plus you can't really use LLMs to effectively find vulnerabilities in a closed source product.
you can't use LLMs to reason about the source code itself, sure. but it can absolutely help you pentest.
Not without a lot of other software to give it access to whatever OS you are testing. Gemini can't even directly access google docs yet, let alone your C drive, networked machines, or virtual machines.
if your argument is that Claude can't operate as a full-fledged autonomous pen tester and do the whole job for you, that's true. but any competent engineer should be able to find some productivity boost from it.
An LLM wouldn't really be the right tool. But some of the black-box fuzzing tools out there were already using machine learning approaches before the "AI boom" happened.
I'm sure someone's found a way to apply agentic shit to it.
Monte carlo methods. Literally: "Try random shit in a simple pattern designed to maximize coverage."
The search space is simply too large to do anything else.
And waste millions of dollars in tokens in the process.
I was talking about the mutation-based ones. They get hybridized with MC frequently, but would be classed as Genetic Algorithms if I'm not mistaken.
not relevant. the point of bug bounties is that you're basically paying off people who might be tempted to use those vulnerabilities against you, getting them to tell you first instead of the world.
stop paying, and they take their information to the next highest bidder.
Ok then just change the webpage, or even just delete it?