I worked my way through about half the examples. What appalling behavior by several of the "submitters".
This comment [1] by icing (curl staff) sums up the risk:
> "This report and your other one seem like an attack on our resources to handle security issues."
Maintainers of widely deployed, popular software, including those whom have openly made a commitment to engineering excellence [2] and responsiveness [like the curl project AFAICT], can not afford to /not/ treat each submission with some level of preliminary attention and seriousness.
Submitting low quality, bogus reports generated by a hallucinating LLM, and then doubling down by being deliberately opaque and obtuse during the investigation and discussion, is disgraceful.
This comment [1] by icing (curl staff) sums up the risk:
> "This report and your other one seem like an attack on our resources to handle security issues."
Maintainers of widely deployed, popular software, including those whom have openly made a commitment to engineering excellence [2] and responsiveness [like the curl project AFAICT], can not afford to /not/ treat each submission with some level of preliminary attention and seriousness.
Submitting low quality, bogus reports generated by a hallucinating LLM, and then doubling down by being deliberately opaque and obtuse during the investigation and discussion, is disgraceful.
[1] https://hackerone.com/reports/3125832#activity-34389935
[2] https://curl.se/docs/bugs.html (Heading: "Who fixes the problems")