Thoughts on the #slopdemic

So, I'm proposing a new term to pair with #vulnpocalypse: The #slopdemic.

fwiw, vuln report "slop" has always been a thing (my resume will explain how I know this to be true). Sometimes it's optimism combined with an "11 out of 10 for enthusiasm, with about a 3 out of 10 for utility" — folks doing this typically just need some education on what is actually valuable. Other times it's #begbounty or opportunism that is completely lacking empathy at best, and bordering on malice at worst. The reality is that there are a lot of bugs out there, and a lot of reasons for people to want to find them and tell you.

The #slopdemic we're seeing now has a couple of convergent components to it:

• AI has genuinely made it easier to find vulnerabilities.
• AI has reduced the cost of writing a plausible submission down to almost zero (note the use of "plausible" — it is doing a lot of heavy lifting here... the vuln doesn't have to be real to look real, and people hallucinate too).
• AI has also given people who have absolutely no idea what they're doing the ability to ascend the "Mount Stupid" section of the Dunning-Kruger curve in record time, and substantially lowered the barrier to entry for this particular behavior, which nets out to more people submitting more things. This isn't a linear problem, it's actually a compound one.
• There's a pretty huge gap in normalized disclosure/CVD (Coordinated Vulnerability Disclosure) best practices for hunters (not as a buzz-kill or a big-brother thing, but to educate on vulnerability disclosure while protecting the user)... so rookies are jumping in without necessarily understanding the equities or even that they exist in the first place. This is something disclose.io is pretty actively working on at the moment.
• ...and there's one other thing: there's a trend of xyz offensive security startup spamming PSIRTs, platforms, and especially open-source projects in order to increase their own marketing clout. This has been going on for a while now, but it has hit the point where F/OSS is drowning — this one is the trigger for this post, mostly because it legitimately pisses me off.

I see a couple of things needing to happen here, some of which I discussed with Mackenzie Jackson during RSAC on The Secure Disclosure podcast, and it borrows heavily from my experiences of solving earlier versions of this same problem:

• Upstream: I genuinely think we need to re-establish a call-out culture on known bad actors. Not the overly enthusiastic (they're the ones who need education) but the deliberately annoying/ignorant, and definitely the vendors that are dunking on F/OSS right now. This is a messy solution that people tend not to like, but it serves a) education and b) deterrence all at once.
• Midstream: We've gotta figure out this triage problem. The reality is that the prime culprit in all of this is vulnerable software, so the solution isn't ostrich risk-management — it's figuring out how to scale discerning the signal from the noise.
• Downstream: The fix is the hard part. Hunters need to understand that, and to be thinking about how to make that part of the process as easy for the vulnerable target as possible (assuming, of course, you actually ARE doing this stuff in the interest of Internet safety).

Forgive the rant, but I wanted to provoke a bit of a group-think conversation here. Interested in any/all suggestions and comments from folks who've been thinking about this.

Originally published on LinkedIn.