The AI chatbot vulnerability reports part sure is sad to read. Why is this even ...

trollbridge · 2025-12-30T14:19:37 1767104377

Making a strcpy honeypot doesn’t sound like a bad idea…

  void nobody_calls_me(const char *stuff) {
          char *a, *b;
          const size_t c = 1024;

          a = calloc(c);
          if (!a) return;
          b = malloc(c);
          if (!b) {
                  free(a);
                  return;
          }
          strncpy(a, stuff, c - 1);
          strcpy(b, a);
          strcpy(a, b);
          free(a);
          free(b);
  }

Some clever obfuscation would make this even more effective.

snvzz · 2025-12-30T17:07:09 1767114429

That got those Core SDI abo vibes.

Flashback of writing exploits for these back in high school.

trollbridge · 2025-12-31T15:14:18 1767194058

In an interesting way, this is an attempt to exploit LLMs into revealing themselves.

easterncalculus · 2025-12-30T15:59:44 1767110384

It's a symptom of complete failure of this industry that maintainers are even remotely thinking about, much less implementing changes in their work to stave off harassment over false security impact from bots.

Y_Y · 2025-12-30T13:59:42 1767103182

Because humans generate and relay the slop-reports in the hopes of being helpful

nottorp · 2025-12-30T16:56:08 1767113768

There is or was a cash bug bounty.

And even if not, the motivation is building a reputation as a security “expert”.

captn3m0 · 2025-12-30T14:16:57 1767104217

s/being helpful/making money.