Bugcrowd just declared war on "AI Slop" and after my recent experiment, I completely understand why.
I wanted to see exactly how quickly an LLM could help identify a security flaw in a popular open-source application.
It took me approximately 1 hour to:
- Have the LLM find a target, pretix/pretix, with 2k+ stars.
- Understand the functional use cases.
- Threat model the application.
- Generate a working Proof of Concept for an SSRF via admin-configured outbound URLs.
Pretix quickly credited me in their release notes. No CVE though - they updated their docs instead of the code! 😊
While my finding was a valid, verified issue, this experiment highlights exactly what Bugcrowd's recent policy change is trying to fight:
Sloptimism.
Because it is now incredibly easy to generate a vulnerability report in under an hour, platforms are drowning in copy-pasted, unverified AI hallucinations.
The barrier to entry for vulnerability discovery has completely vanished.