Most active commenters
  • tptacek(5)
  • croes(3)

←back to thread

XBOW, an autonomous penetration tester, has reached the top spot on HackerOne

(xbow.com)
283 points summarity | 16 comments | 24 Jun 25 15:53 UTC | HN request time: 0.203s | source | bottom
1. mkagenius ◴[24 Jun 25 18:19 UTC] No.44369114[source]
> XBOW submitted nearly 1,060 vulnerabilities.

Yikes, explains why my manually submitted single vulnerability is taking weeks to triage.

replies(2): >>44369323 #>>44374572 #
2. tptacek ◴[24 Jun 25 18:37 UTC] No.44369323[source]
The XBOW people are not randos.
replies(1): >>44369375 #
3. lcnPylGDnU4H9OF ◴[24 Jun 25 18:40 UTC] No.44369375[source]
That's not their point, I think. They're just saying that those nearly 1060 vulnerabilities are being processed so theirs is being ignored (hence "triage").
replies(1): >>44369411 #
4. tptacek ◴[24 Jun 25 18:43 UTC] No.44369411{3}[source]
If that's all they're saying then there isn't much to do with the sentiment; if you're legit-finding #1061 after legit-findings #1-#1060, that's just life in the NFL. I took instead the meaning that the findings ahead of them were less than legit.
replies(3): >>44369640 #>>44369966 #>>44370374 #
5. croes ◴[24 Jun 25 18:58 UTC] No.44369640{4}[source]
Whether it is legit-finding is precisely what needs to be checked, but you’re at spot 1061.

>130 resolved

>303 were classified as Triaged

>33 reports marked as new

>125 remain pending

>208 were marked as duplicates

>209 as informative

>36 not applicable

20% bind a lot of resources if you have a high input on submissions and the numbers will rise

replies(1): >>44369723 #
6. tptacek ◴[24 Jun 25 19:03 UTC] No.44369723{5}[source]
I think some context I probably don't share with the rest of this thread is that the average quality of a Hacker One submission is incredibly low. Like however bad you think the median bounty submission is, it's worse; think "people threatening to take you to court for not paying them for their report that they can 'XSS' you with the Chrome developer console".
replies(3): >>44370182 #>>44370892 #>>44371926 #
7. lcnPylGDnU4H9OF ◴[24 Jun 25 19:24 UTC] No.44369966{4}[source]
> there isn't much to do with the sentiment

I see what you're saying but I think a more charitable interpretation can be made. They may be amazed that so many bug reports are being generated by such a reputable group. Looking at your initial reply, perhaps a more constructive comment could be one that joins them in excitement (even if that assumption is erroneous) and expanding on why you think it is exciting (e.g. this group's reputation for quality).

8. croes ◴[24 Jun 25 19:39 UTC] No.44370182{6}[source]
We‘ll get this low quality submissions with AI too.

The problem is that the people who know how to use AI properly will slower and more careful in their submissions.

Many others won’t, so we‘ll get lots of noise hiding the real issues. AI makes it easy to produce many bad results in short time.

replies(1): >>44370554 #
9. stronglikedan ◴[24 Jun 25 19:56 UTC] No.44370374{4}[source]
> I took instead the meaning that the findings ahead of them were less than legit.

I took instead the opposite - that they were no longer shocked that it was taking so long once they found out why, as they knew who they were and understood.

10. tptacek ◴[24 Jun 25 20:14 UTC] No.44370554{7}[source]
Everyone already agrees with that; the interesting argument here is that it also makes it easy to produce many good results in short time.
replies(1): >>44371865 #
11. peanut-walrus ◴[24 Jun 25 20:50 UTC] No.44370892{6}[source]
My favorite one I've seen is "open redirect when you change the domain name in the browser address bar". This was submitted twice several years apart by two different people.
12. croes ◴[24 Jun 25 22:48 UTC] No.44371865{8}[source]
But the good ones don’t have the same output rate because they are checked by humans before submission.

They are faster than the purely manual ones but can’t beat the AI created bad ones neither in speed nor numbers.

It’s like the IT security version of the Gish gallop.

replies(1): >>44372127 #
13. aspenmayer ◴[24 Jun 25 22:54 UTC] No.44371926{6}[source]
I can’t speak to the average quality of submissions, as I’ve only made one to HackerOne myself iirc. I don’t even consider myself good at coding or aware of how to file a bug report or bounty submission. I reported that on iOS Coinbase app, that if you were on a VPN, the Coinbase app PIN simply didn’t exist anymore, and did not appear in the settings as enabled either. I included a full video of this occurring and it seemed reproducible. The Coinbase person said that this was not an issue because you would already need access to the physical device and know the iOS passcode; relevant to this is that at the time (2021) and maybe now, the Coinbase iOS app didn’t hook the iOS passcode for access control, like Signal or other apps do, but instead has its own app passcode. The fact that this was circumventable by adding and connecting to any VPN on the same iOS device seemed like a bug in the implementation, even if it is the code working as written. The issue was closed and I lost 5 HackerRank I think the points are called. It felt very hostile to my efforts that I lost points, since I don’t think that was justified. Perhaps that is just how the platform works for denied bug reports on HackerOne, but I have no way of knowing that, as the Coinbase report is the only time I used the platform.
replies(1): >>44374080 #
14. tptacek ◴[24 Jun 25 23:21 UTC] No.44372127{9}[source]
Then you're refuting the premise of the article, and you should be more specific in your critique, because right now all you're saying is "this can't work".
15. mkagenius ◴[25 Jun 25 06:08 UTC] No.44374080{7}[source]
They have a concept of "rando" as you can see above. They don't usually say that out aloud.

Basically if you are new, the reviewer thinks "oh, a rando" and in his mind he has already downgraded the severity a bit.

It's unfortunately a kind of cartel at this point. Not full fledged and out but a low key cartel. They have a circle of friends whose csrf would also get better valuation. It's a sorry state.

16. k0ns0l ◴[25 Jun 25 07:33 UTC] No.44374572[source]
:(