Program hiatus notice

[jholdstock]

[davecgh]

For some additional context, it essentially says it in a fairly nice way with "Report verbosity is is increasing and quality is decreasing", but perhaps a more pointed way to say it would be:

A very large majority of the reports are LLM generated reports that are not really issues at all and the submitters are not verifying that they are real issues before submitting. To make matters worse, because they're LLM generated, they are needlessly verbose with multiple pages of (typically incorrect) exposition.

Effectively, people are just pointing LLMs at the code and submitting massive dumps of nonsense thereby essentially outsourcing all of the work of actually vetting the firehose of slop to the program maintainer(s) while they themselves still expect to get a payout for a bounty.

While I definitely think it is important overall to maintain a bug bounty program for serious issues, it definitely has to be restructured to something that properly combats that new reality of LLMs running wild with nonsense and people looking to take advantage of it without respecting the actual intent of the program.

[jholdstock]

bugcrowd has some excellent pieces on the topic. Apart from the one linked, this one is great: https://www.bugcrowd.com/blog/hacker-opinion-piece-how-lazy-hacking-killed-curls-bug-bounty/