You Did This with an AI and You Do Not Understand What You're Doing Here
Posted3 months agoActive3 months ago
hackerone.comTechstoryHigh profile
heatednegative
Debate
80/100
AI-Generated ContentBug Bounty ProgramsOpen-Source Security
Key topics
AI-Generated Content
Bug Bounty Programs
Open-Source Security
A bug bounty report on HackerOne was found to be generated by AI, sparking a heated discussion on the misuse of AI in security reporting and the challenges it poses to open-source maintainers.
Snapshot generated from the HN discussion
Discussion Activity
Very active discussionFirst comment
2m
Peak period
107
0-6h
Avg / period
17.8
Comment distribution160 data points
Loading chart...
Based on 160 loaded comments
Key moments
- 01Story posted
Sep 22, 2025 at 3:59 AM EDT
3 months ago
Step 01 - 02First comment
Sep 22, 2025 at 4:01 AM EDT
2m after posting
Step 02 - 03Peak activity
107 comments in 0-6h
Hottest window of the conversation
Step 03 - 04Latest activity
Sep 26, 2025 at 9:08 AM EDT
3 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
ID: 45330378Type: storyLast synced: 11/26/2025, 1:00:33 PM
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
[0] https://www.bgnes.com/technology/chatgpt-convinced-canadian-...
> The breakdown came when another chatbot — Google Gemini — told him: “The scenario you describe is an example of the ability of language models to lead convincing but completely false narratives.”
Presumably, humans had already told him the same thing, but he only believed it when an AI said it. I wonder if Gemini has any kind of special training to detect these situations.
the thing is, these people aren't necessarily wrong - they're just 1) clueless 2) early. the folks with proper know-how and perhaps tuned models are probably selling zero days found this way as we speak.
It's the kind of incuriosity that comes from the arrogance from believing you're very smart but actually being quite ignorant.
So it wounds like one of those guys took their misunderstanding and built and sell tools founded on it.
https://marketoonist.com/2023/03/ai-written-ai-read.html
https://www.youtube.com/watch?v=3O3-ngj7I98
They continue walking until they come across a second pile of shit. The second economist turns to the first and says “I’ll pay you $100 to eat that pile of shit.” The first economist takes the $100 and eats a pile of shit.
Walking a little more, the first economist looks at the second and says, "You know, I gave you $100 to eat shit, then you gave me back the same $100 to eat shit. I can't help but feel like we both just ate shit for nothing."
"That's not true", responded the second economist. "We increased the GDP by $200!"
I've found some AI assistance to be tremendously helpful (Claude Code, Gemini Deep Research) but there needs to be a human in the loop. Even in a professional setting where you can hold people accountable, this pops up.
If you're using AI, you need to be that human, because as soon as you create a PR / hackerone report, it should stop being the AI's PR/report, it should be yours. That means the responsibility for parsing and validating it is on you.
I've seen some people (particularly juniors) just act as a conduit between the AI and whoever is next in the chain. It's up to more senior people like me to push back hard on that kind of behaviour. AI-assisted whatever is fine, but your role is to take ownership of the code/PR/report before you send it to me.
And then add to that the pressure to majorly increase velocity and productivity with LLMs, that becomes less practical. Humans get squeezed and reduced to being fall guys for when the LLM screws up.
Also, Humans are just not suited to be the monitoring/sanity check layer for automation. It doesn't work for self-driving cars (because no one has that level of vigilance for passive monitoring), and it doesn't work well for many other kinds of output like code (because often it's a lot harder to reverse-engineer understanding from a review than to do it yourself).
More than that - there needs to be a competent human in the loop.
This is also why you don't have your devs do QA. Someone has to be responsible for, and focused specifically on quality; otherwise responsibility will be dissolved among pointing fingers.
I spend a lot of time doing cleanup for a predecessor who took shortcuts.
Granted I'm agreeing, just saying the methods / volume maybe changed.
And the worst case is when AI generates great code with a tiny, hard-to-discover catch that takes hours to spot and understand.
It’s a lose-lose situation for the maintainers
I think the shaming the use of LLMs to do stuff like this is a valuable public service.
And it must be so demoralizing. And because they’re security issues they still have to be investigated.
> Thanks for the quick review. You’re right — my attached PoC does not exercise libcurl and therefore does not demonstrate a cURL bug. I retract the cookie overflow claim and apologize for the noise. Please close this report as invalid. If helpful, I can follow up separately with a minimal C reproducer that actually drives libcurl’s cookie parser (e.g., via an HTTP response with oversized Set-Cookie or using CURLOPT_COOKIELIST) and reference the exact function/line in lib/cookie.c should I find an issue.
(Nsfw)
While rockets and hearts seem more like unnecessary abuse, there are a few icons that really make sense in CLI and TUI programs, but now I'm hesitant to use them as then people who don't know me get suspicious it could be AI slop.
Sane languages have much less of this problem but the damage was done by the cargo cultists.
Much like how curly braces in C are placed because back in the day you needed you punch card deck to be editable, but we got stuck with it even after we stared using screens.
Can you expand on this? What do curly braces have anything to do with punch card decks being editable? What do screens?
By putting the final curly brace on it's own card, and hence line, it meant you could add lines to blocks without having to change the old last line.
E.g. the following code meant you only had to type a new card and insert it.
But for following had to edit and replace an old card as well. This saved a bit of typing and made errors less likely.Using regex to edit lines instead of typing them out was a step up, but not much of one.
Also my father definitely had C punch cards in the 80s.
Make sure terminal detection is turned off, and, for god’s sake, don’t honor the NO_COLOR environment variable.
Otherwise, people will be able to run your stuff in production and read the logs.
I believe it was a technical documentation and the author wanted to create visual associations with acteurs in the given example. Like clock for async process of ordering, (food -) order, Burger etc.
I don't remember if I commented on the issue myself, but I do remember that it reduced readability a lot - at least for me.
https://www.gally.net/miscellaneous/hn-em-dash-user-leaderbo...
As #9 on the leaderboard I feel like I need to defend myself.
But then, long before I had a Compose key, in my benighted days of using Windows, I figured out such codes as Alt+0151. 0150, 0151, 0153, 0169, 0176… a surprising number of them I still remember after not having typed them in a dozen years.
compose - -
and it makes an em dash, it takes a quarter of a second longer to produce this.
I don't know why the compose key isn't used more often.
[0]: https://en.wikipedia.org/wiki/Compose_key#Common_compose_com...
Source:
(This is a vaguely Socratic answer to the question of why the compose key is not more often used.)
I wrote a short guide about it last year: https://whynothugo.nl/journal/2024/07/12/typing-non-english-...
Some DOS applications did have support for it. The reason it wasn't included is baffling, and it's especially baffling to me that other operating systems never adopted it, simply because
is VASTLY more user friendly to type than: which I have met some windows users who memorize that combo for things like the copyright symbol (which is simply:)As it turns out, the differentiator is the level of literacy.
You can tell if I'm using mac or not for specific comment by the presence of em dash.
gasps for air
Or faking generated content into real one.
https://www.theguardian.com/commentisfree/2024/apr/10/amazon...
Sure, but a lot of times it's not really Indian English, it's English vocab mixed and matched with grammar rules from other Indian languages like Hindi or Urdu or Bengali. I've been on conference calls where Indians from different regions were speaking mutually unintelligible versions of English and had to act as a translator from english to english.
You may personally like one or another better, you may find some particular varieties easier or harder to understand, but that doesn’t make those people any more or less ‘actual’ English speakers than you are. They are ‘actually’ speaking English, just like you.
If you wanted to phrase this in a less fraught way, you might say “Yea but you can almost always tell it’s an Indian because they tend to write characteristically distinct from <your nationality> English speakers” -
and I would agree with you, sentence structure and idioms do usually make it pretty easy to recognize.
to what end do you employ this analysis?
But many of the samples I've seen from Indians (I don't know what their native languages are exactly, and fully admit I wouldn't be able to tell them apart) in the last few years are quite frankly on a whole other level. They're barely intelligible at all. I'm not talking about the use of dialectic idioms like "do the needful" or using "doubt" where UK or US English speakers would use "question". All of that is fine, and frankly not difficult to get used to.
I'm talking about more or less complete word salad, where the only meaning I can extract at all is that something is believed to have gone wrong and the OP is desperate for help. It comes across that they would like to ask a question, but have no concept of QUASM (see e.g. https://www.espressoenglish.net/an-easy-way-to-form-almost-a...) whatsoever.
I have also seen countless cases where someone posted obvious AI output in English, while having established history in the same community of demonstrating barely any understanding of the language; been told that this is unacceptable; and then appeared entirely unable to understand how anyone else could tell that this was happening. But I struggle to recall any instance where the username suggested any culture other than an Indian one (and in those cases it was an Arabic name).
To be clear, I am not saying that this is anything about the people or the culture. It's simple availability bias. Although China has a comparable population, there's a pretty high bar to entry for any Chinese nationals who want to participate in English-speaking technical forums, for hopefully obvious reasons. But thanks to the status of an English dialect as an official language, H1B programs etc., and now the ability to "polish" (heavy irony) one's writing with an LLM, and of course the raw numbers, the demographics have shifted dramatically in the last several years.
I don't think it's just availability bias however, I think it's mostly a case of divergent linguistic evolution. In terms of the amount of people who speak English at an A level, India has the largest English speaking population in the world. With that, and a host of other native languages, came a rapid divergence from British English as various speech patterns, idioms, etc, are subsumed, merged, selectively rejected, and so on.
The main reason you don't see divergence to the same extent in other former colonies, even older colonies like Canada and the US, is that the vast majority of the colonists spoke English as a primary language.
Like, do LLMs have actual applications? Yes. By virtue of using one, are you by definition a lazy know-nothing? No. Are they seemingly quite purpose-built for lazy know-nothings to help them bullshit through technical roles? Yeah, kinda.
In my mind this is this tech working exactly as intended. From the beginning the various companies have been quite open about the fact that this tech is (supposed to) free you from having to know... anything, really. And then we're shocked when people listen to the marketing. The executives are salivating at the notion of replacing development staff with virtual machines that generate software, but if they can't have that, they'll be just as happy to export their entire development staff to a country where they can pay every member of it in spoons. And yeah, the software they make might barely function but who cares, it barely functions now.
The usefulness of LLMs for me, in the end, is their ability to execute classic NLP tasks, so I can incorporate a call for them in programs to do useful stuff that would be hard to do otherwise when dealing with natural language.
But, a lot of times, people try to make LLMs do things that they can only simulate doing, or doing by analogy. And this is where things start getting hairy. When people start believing LLMs can do things they can't do really.
Ask an LLM to extract features from a bunch of natural language inputs, and probably it will do a pretty good job in most domains, as long as you're not doing anything exotic and novel enough to not being sufficiently represented in the training data. It will be able to output a nice JSON with nice values for those features, and it will be mostly correct. It will be great for aggregate use, but a bit riskier for you to depend on the LLM evaluation for individual instances.
But then, people ignore this, and start asking on their prompts for the LLM to add to their output confidence scores. Well. LLMs CAN'T TRULY EVALUATE the fitness of their output for any imaginable criteria, at least not with the kind of precision a numeric score implies. They absolutely can't do it by themselves, even if sometimes they seem to be able to. If you need to trust it, you'd better have some external mechanism to validate it.
What an absolute shamble of an industry we have ended up with.
382 more comments available on Hacker News