zlacker

A friend of a friend, told me he is furiously adding code to Github, with subtle security bugs. He can't wait for it to show up in the proper places...Courtesy of Copilot ;-)

>>belter+(OP)
But people already naturally exhibit subtle bugs in the course of ordinary programming. Your acquaintance will just be another drop in the ocean.

>>belter+(OP)
I wonder if that could be a nice money maker. Introduce a lot of generic functions with common names, add security bugs. Maybe add a README entry telling people to not trust the code because you're using it to demonstrate what insecure code looks like, and then wait for some big company with a bug bounty to introduce it to their code base. License your code proprietary of AGPL to make sure the company is the one who gets in trouble if they admit the code comes from you.

With enough nearly-working functions spread across multiple projects in every language known to man, you could practically automate your way into a steady stream of hacker bounties.

People would probably call it unethical, but if Copilot's massive IP violations are okay then who cares. As long as the project's security flaws are recognisable by humans it doesn't matter IMO.

>>threat+B2
Except he knows what to look for and how to exploit it. Could lead to easy bug bounty money.

>>jmnico+g4
Seems like an exceptionally risky attempt to make money using programming skills. Why not directly add value to the software world?

>>benbur+N4
I'm not endorsing it. FWIW I won't use Copilot and won't add (voluntarily that is ;) bugs in my code to sabotage it.

>>belter+(OP)
This attack has been studied!

https://arxiv.org/abs/2007.02220

Although our own work shows Copilot is pretty good at adding security flaws on its own:

https://arxiv.org/abs/2108.09293