this post was submitted on 20 Jun 2026
355 points (97.8% liked)

Technology

85600 readers
3782 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 3 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
355
Low-skilled attacker used Claude, Codex to breach 14 companies (www.helpnetsecurity.com)
submitted 1 day ago by sanitation@lemmy.today to c/technology@lemmy.world
82 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] DeadDigger@lemmy.zip 4 points 22 hours ago (1 children)

Well the problem is that for example curl got flooded with generated security reports where only 5% had some true security potential. So your llm will basically flood you with false positives

[–] ByteJunk@lemmy.world 5 points 21 hours ago (1 children)

If 5% of the reports are genuine security vulnerabilities that they wouldn't have found otherwise, that's looking like a big win to me, not sure how you see it differently.

[–] frongt@lemmy.zip 3 points 21 hours ago (1 children)

The problem is identifying which 5%. Nobody wants to filter that much AI slop.

[–] AwesomeLowlander@sh.itjust.works 7 points 21 hours ago (3 children)

If you're working for a company's cybersec, that's your job. And a much preferable one to waiting for an attacker to do it for you.

[–] borari@lemmy.dbzer0.com 3 points 9 hours ago

If you’re submitting a vulnerability to a public repo, that’s also your job. These slop reports that are wasting maintainers time should never have been reported. The person tasking the LLM is out of their depth and can’t be the human in the loop that verifies the vulnerability report before submitting because they don’t have the required knowledge to do that. It’s a shame, because if people who had the requisite knowledge were the ones submitting, the ratio of valid reports to noise would be way higher than 5% and open source maintainers wouldn’t be feeling burned the fuck out.

[–] ByteJunk@lemmy.world 5 points 13 hours ago

Exactly. If you go through 100 tickets and find 5 real vulnerabilities to patch, that sounds incredibly good...

[–] frongt@lemmy.zip 1 points 10 hours ago

Sure, but nobody wants to do that, even at fair pay. Unpaid open source volunteer projects REALLY don't want to do that, and risk burning out what is typically a solo main dev.