Nextcloud has joined a growing list of projects, including Curl, that have ended their bug‑bounty partnerships with HackerOne due to an unmanageable surge of low‑effort, AI‑generated security reports. I received the following email: Hi ph00lt0, Nextcloud is sending you a message about their program on HackerOne. Hello, We are writing to you because you have previously reported vulnerabilities to Nextcloud via HackerOne. Like many other software projects, we have been receiving an increasi...

Nextcloud has joined a growing list of projects, including Curl, that have ended their bug‑bounty partnerships with HackerOne due to an unmanageable surge of low‑effort, AI‑generated security reports. I received the fol…

  • darklamer@feddit.orgEnglish
    82·
    2 days ago

    I too have started to receive such PRs to review and it’s soul crushing.

    – I don’t understand what you were thinking here, these changes make no sense to me, could you please be so kind and explain to me why you think this would be an improvement?

    – I don’t know, the LLM just suggested it.

    • mesa@piefed.socialOPEnglish
      45·
      2 days ago

      I maintain a library that is used quite a bit and I had to turn off github issues because AI bots are trying to push reporting security vulns…in a library that has no dependencies. Or AI that is setup to waste time by asking pointless questions that do not pertain to the library. The library is literally two files. Technically 3 if you include the tests.

      I moved my library over to codeberg recently. So much better of an experience. Its really too bad, I have 15+ years in Github but the AI bots are going to push me out.

      • OwOarchist@pawb.socialEnglish
        25·
        1 day ago

        I moved my library over to codeberg recently. So much better of an experience. Its really too bad, I have 15+ years in Github but the AI bots are going to push me out.

        If AI can finally kill Github and get repos to move to open-source alternatives, maybe AI isn’t that bad after all.

      • vividspecter@aussie.zoneEnglish
        16·
        1 day ago

        Hopefully forgejo will have federation released soon which will make interacting across projects easier. Although maybe that will just encourage the bots to use it, so can’t win really.

        • WhyJiffie@sh.itjust.worksEnglish
          11·
          1 day ago

          I think there can be a difference. github encourages this behavior, even provides the tools for it. but if the forgejo community stands strongly against it from the beginning (users reporting true slop, moderators deleting and banning them, admins defederating from intentional slop sources), then maybe that kind will stay away from the platform

    • timbuck2themoon@sh.itjust.worksEnglish
      25·
      1 day ago

      What I don’t get is- these people are disingenuous or actually think theyre helping.

      Helping how? The owner of the repo can submit code to your bullshit machine the exact same way. What value are you producing?

      • AeonFelis@lemmy.worldEnglish
        1·
        59 minutes ago

        Anecdote: there is this annual event called Hacktoberfest for promoting OSS contribution. It offers various merchandise as reward for PRs that get merged as part of the event. A few years back, someone posted a YouTube video trying to promote the event, and demonstrated how to to create a PR by going to some repository and adding some arbitrary text to the README.

        What he wanted to convey: “this is the procedure for sending contributions

        What people understood: “you can win a free t-shirt by making small changes to non-code text

        The result: https://joel.net/how-one-guy-ruined-hacktoberfest2020-drama

        LLMs did not create this problem. The desire to make bullshit contributions in order to be seen as contributing seems to a basic human need. At least - for some humans. Generative AI did make it so much worse, though, because it’s so good at bullshitting that you have to waste time and spend mental resources in order to recognize the bullshit.

      • SaharaMaleikuhm@feddit.orgEnglish
        13·
        1 day ago

        The people doing this feel like it was their doing because they control the machine basically. This craving to produce something is strong in the ones who have no skills of their own. That’s why these PRs only ever come from absolutely incompetent buffoons.

        • bcgm3@lemmy.worldEnglish
          1·
          39 minutes ago

          Same for text gen “writers” and image gen “artists” and audio gen “musicians.”

          It’s a shortcut to creating a product that, in their uninitiated mind, is viable.

      • darklamer@feddit.orgEnglish
        10·
        1 day ago

        This remains a great mystery to me. As far as I can see, all they achieve is to waste time and resources for everyone involved, including themselves, without creating anything of value to anyone. It’s truly baffling.

        • SaharaMaleikuhm@feddit.orgEnglish
          8·
          1 day ago

          It makes them feel good. Like they done something positive. It’s utterly pathetic and I despise these people with no skills, no ability to create anything of their own.