I chat with Joshua Rogers about a blog post he wrote as well as some bugs he submitted to the curl project. Joshua explains how he went searching for some AI tools to help find security bugs, and found out they can work, if you’re a competent human. We discuss the challenges of finding effective tools, the importance of human oversight in triaging vulnerabilities, and how to submit those bugs to open source projects responsibly. It’s a very sane and realistic conversation about what AI to...| Open Source Security
(See how I cleverly did not mention AI in the title!) You know we have seen more than our fair share of slop reports sent to the curl project so it seems only fair that I also write something about the state of AI when we get to enjoy some positive aspects of this technology. … Continue reading A new breed of analyzers →| daniel.haxx.se
## Summary: (Note: AI created the PoC, not the report.) In the `krb5_read_data()` function [here](https://github.com/curl/curl/blob/af7d67d3c03329116e593d999851d2cc3ebbf119/lib/krb5.c#L526-L551),...| HackerOne
We are dropping support for this feature in curl 8.17.0. Kerberos5 FTP to be exact. The last Kerberos support we had for FTP. Badness On September 16, 2025 we received a security report that accurately identified a possible stack based buffer overflow in the Kerberos FTP code that could allow a malicious FTP server cause … Continue reading Bye bye Kerberos FTP →| daniel.haxx.se
Note: This post is complemented by a presentation I gave at KazHackStan 2025. The slides for that talk can be found here, or in pptx format here..| Joshua.Hu Joshua Rogers’ Scribbles
In August 16 2025 I did a keynote with this title on the FrOSCon conference in Bonn, Germany. The room held a few hundred seats and every single one was occupied with people also filling up the stairs and was standing along the walls. Awesome! https://www.youtube.com/watch?v=6n2eDcRjSsk See also my death by slop post for more … Continue reading AI slop attacks on the curl project →| daniel.haxx.se
