On the morning of the 13th day of the year we have received *checks notes* 13 #curl vulnerability reports on Hackerone this year.

None a confirmed vulnerability.

I suppose the upside is that lots of people are scrutinizing and try really hard to poke holes.

Ironically, we have also received complaints from people who get annoyed when we disclose so many rubbish reports on Hackerone...

https://github.com/curl/curl/issues/20245

and of course some of the people I ridicule, ban and expose in these reports come back to me all up in arms about them being completely innocent and they did not know and now I have ruined their professional lives because their cool hacker aliases are now tainted.

@bagder Very sad indeed.

But we *do* let reports through if the hacker alias is really cool. Which, in these cases, they really weren‘t. 🔥💁🏻‍♂️

@icing @bagder You gave them a second chance at getting cooler, if you think about it.

@bagder huh??? Doesn't curl policy explicitly mention that the use of AI must be disclosed? Is it not entirely their own fault that they always miss this part?

@bagder You mean I can't keep using "The Master of Disaster" on GitHub???

@jwz pfft, there are not even *one* "leet speak" letter in that name! 😁

@bagder
> it clogs hacktivity for people wanting to read good disclosures

I don't user hackerone but I'd imagine there are filters in the UI to hide these?

@luc122c yes there is

@bagder, I suppose that's great ad for their company, having a GitHub account that was literally used only to complain that you're disclosing how incompetent they are.

@bagder 🎻 – pity there isn’t an emoji with an even smaller one.

@bagder If they don't check their AI slop before posting, it's up to them to take the (rightful) beating for it.

No mercy.