Vulnerability reports are not special anymore

Posted by goranmoomin 10 hours ago

Vulnerability reports are not special anymore(words.filippo.io)

245 points | 133 commentspage 3

_el1s7 2 hours ago|

> LLMs are as good as almost any security researcher, and anyone4 can run them.

What is this, rage bait? It's bullshit, and insulting to actual security researchers.

That might be true for low-effort vulnerabilities and fake security researchers, but the real security researchers are far from being replaced by LLMs.

jongjong 4 hours ago||

I found a DoS vulnerability in Coinbase several months ago on Hacker One. It took me literally 30 minutes to find. First time I did this in my life. I could craft a message cheaply which, when sent as the HTTP payload to a specific endpoint, would cause the server to hang for a full 30 or so seconds before getting a response. I could have easily scaled up that attack, cheaply...

I filed a report, they marked it as 'informative' and thanked me, recommended I keep looking for more vulnerabilities, but no payment at all; they said I had to be able to demonstrate major disruption of service... Which I presume is illegal. I literally showed them all the ingredients of the attack, the exact curl commands, payloads, the exact response delay could be easily be verified; you could see the server response slowing down proportional to the degree of nesting in the payload. I could execute it without authentication too; so it was essentially certain that the attack could be scaled but they made it impossible to get a reward.

The hardest part was writing the report which took several hours.

So yeah, 30 minutes of looking for a vulnerability, no prior experience in security research, first project I looked into on Hacker One, ever... A company in crypto sector which is a major target of hackers and takes security relatively seriously.

Imagine how insecure most software is! Imagine how bad most vibe-coded software is especially! Companies might as well run their servers directly inside Kim Jong Un's data center in North Korea.

North Korean hackers probably have a dashboard which shows more detailed and accurate platform analytics than what the founders of the company can see.

agolio 7 hours ago||

Tangent point, I think more broadly this is a big piece of AI-cynicism in general- “x isn’t special anymore”.

It’s tough staying motivated on a craft when an AI is nearly as good as you. Chess players manage to do it at least.

Avicebron 7 hours ago||

> Chess players manage to do it at least.

The 5 on earth still getting paid to play chess?

fragmede 7 hours ago||

There's only one Magnus Carlsen, who earned > $1 million in 2025 for playing chess, but the long tail, there were 26 people who made more than $100k, https://thechessworld.com/articles/general-information/the-1...

but like, if you mean literally "someone gave them money and they played a game of chess", the number becomes much bigger. Chess coaches, streamers, club instructors, exhibition players, league players, camp counselors, and titled players receiving appearance fees, etc. All told, you're looking at ten's of thousands across the world.

moi2388 4 hours ago||

And if you mean “people who can live off of tournament winnings” it’s not more than 26.

It’s like most of art, writing, and sports. The only way to make money is by becoming a teacher.

z0ltan 7 hours ago||

[dead]

More comments...