Most active commenters

    ←back to thread

    XBOW, an autonomous penetration tester, has reached the top spot on HackerOne

    (xbow.com)
    283 points summarity | 11 comments | 24 Jun 25 15:53 UTC | HN request time: 0.203s | source | bottom
    1. jekwoooooe ◴[24 Jun 25 18:23 UTC] No.44369157[source]
    They should ban this or else they will get swallowed up and companies will stop working with them. The last thing I want is a bunch of llm slop sent to me faster than a human would
    replies(2): >>44369219 #>>44369231 #
    2. fredfish ◴[24 Jun 25 18:30 UTC] No.44369219[source]
    As long as they maintain a history per account and discourage gaming with new accounts, I don't see why anyone would want slop that performed lower just because the slop was manual. (I just had someone tell me that they wished the nonsensical bounty submissions they triaged were at least being fixed up with gpt3.)
    3. danmcs ◴[24 Jun 25 18:31 UTC] No.44369231[source]
    HackerOne was already useless years before LLMs. Vulnerability scanning was already automated.

    When we put our product on there, roughly 2019, the enterprising hackers ran their scanners, submitted everything they found as the highest possible severity to attempt to maximize their payout, and moved on. We wasted time triaging all the stuff they submitted that was nonsense, got nothing valuable out of the engagement, and dropped HackerOne at the end of the contract.

    You'd be much better off contracting a competent engineering security firm to inspect your codebase and infrastructure.

    replies(2): >>44369339 #>>44371667 #
    4. tptacek ◴[24 Jun 25 18:38 UTC] No.44369339[source]
    Moreover, I don't think XBOW is likely generating the kind of slop beg bounty people generate. There's some serious work behind this.
    replies(2): >>44369412 #>>44369429 #
    5. tecleandor ◴[24 Jun 25 18:43 UTC] No.44369412{3}[source]
    Still they're sending hundreds of reports that are being refused because they are not following the rules of the bounties. So they better work on that.
    replies(1): >>44369555 #
    6. radialstub ◴[24 Jun 25 18:44 UTC] No.44369429{3}[source]
    Do you have sources for if we want to learn more?
    replies(1): >>44369728 #
    7. tptacek ◴[24 Jun 25 18:52 UTC] No.44369555{4}[source]
    If you thought human bounty program participants were generally following the rules, or that programs weren't swamped with slop already... at least these are actually pre-triaged vetted findings.
    replies(1): >>44371313 #
    8. moyix ◴[24 Jun 25 19:04 UTC] No.44369728{4}[source]
    We've got a bunch of agent traces on the front page of the web site right now. We also have done writeups on individual vulnerabilities found by the system, mostly in open source right now (we did some fun scans of OSS projects found on Docker Hub). We have a bunch more coming up about the vulns found in bug bounty targets. The latter are bottlenecked by getting approval from the companies affected, unfortunately.

    Some of my favorites from what we've released so far:

    - Exploitation of an n-day RCE in Jenkins, where the agent managed to figure out the challenge environment was broken and used the RCE exploit to debug the server environment and work around the problem to solve the challenge: https://xbow.com/#debugging--testing--and-refining-a-jenkins...

    - Authentication bypass in Scoold that allowed reading the server config (including API keys) and arbitrary file read: https://xbow.com/blog/xbow-scoold-vuln/

    - The first post about our HackerOne findings, an XSS in Palo Alto Networks GlobalProtect VPN portal used by a bunch of companies: https://xbow.com/blog/xbow-globalprotect-xss/

    9. tecleandor ◴[24 Jun 25 21:34 UTC] No.44371313{5}[source]
    But I was hoping the idea wasn't "as there's a lot of sloppy posts, we're going to be sloppy too let's flood them". So, use the AI for something useful and at least grep the rules properly. That'd be neat.
    replies(1): >>44374333 #
    10. strken ◴[24 Jun 25 22:21 UTC] No.44371667[source]
    We still get reports for such major issues as "this unused domain held my connection for ten seconds and then timed out, which broke the badly-written SQL injection scanner I found on GitHub and ran without understanding".
    11. weq ◴[25 Jun 25 06:56 UTC] No.44374333{6}[source]
    In the first version it grepped the rules properly. By the 10th interation those rules were lost to the heavens, and replaced by a newly hallucinated set that no one noticed because everyone was now dumber.