Security Now, Episode 1063: "Mongo's Too Easy - AI Bug Bounties Gone Wild"

Date: February 4, 2026
Hosts: Steve Gibson & Leo Laporte

Main Theme / Purpose

This week, Steve Gibson and Leo Laporte dive deep into two urgent cybersecurity topics:

How the proliferation of AI is both revolutionizing and destabilizing bug bounty systems (“AI bug bounties gone wild”)
The ongoing mess of MongoDB’s insecure default settings, which have lowered the hacking bar “to the floor” and invited a wave of unsophisticated but profitable ransomware campaigns.

Other highlights include a Notepad++ supply-chain attack, antivirus software infecting its own users, Apple’s upcoming privacy feature for cellular devices, the AI-fueled collapse of the Curl bug bounty program, breakthrough AI systems finding OpenSSL vulnerabilities, and more. The episode is rich with cautionary tales, wry commentary, and a forward-looking discussion of security in an age of AI.

Key Discussion Points & Insights

1. Breaking News: The AI Disruption Hits the Stock Market

[16:23-19:41]

The Wall Street Journal reports a sharp drop in software companies’ stock, triggered by fears that rapid advances in AI will “supplant software” and undercut markets for products from companies like Adobe and Salesforce.
Anthropic’s new generative AI tools for legal drafting in their Cowork Assistant prompted mass sell-offs in companies offering legal software.
Steve: “It’s what it means is expanding the security boundary...much more content within a much larger boundary.”
Leo: “There have to be AI firewalls. There have to be ways of letting an AI go out and look at the world without exfiltrating your company’s private documents.”

2. Picture of the Week: Age Verification, Breaches, and Humor

[21:51-24:13]

Steve and Leo showcase a satirical web service that lets you “verify your age” by either taking a selfie or searching for your ID in existing data breaches.
Steve: “It's great humor and it just suggests... breaches are so rampant that why are we even being asked to identify ourselves?”
Discussion of the absurdity and pervasiveness of credential breaches.

3. Notepad++ Supply-Chain Attack

[24:23-30:58]

Summary: Notepad++ (hugely popular Windows text editor) was the target of a “highly sophisticated, state-level” supply-chain attack, believed to be by Chinese actors, via its update mechanism. The attack was targeted (mostly Asia), likely not widespread, but Steve had been warning of this scenario due to Notepad++’s frequent updates.
Steve: “These Chinese state-level bad guys...see that Notepad++ is updating itself all the time... ‘Hey, that’s a target!’”
Advice: Disable automatic updates once you’re running a stable version unless you truly need something new.

4. Antivirus Infects Its Own Users

[30:59-50:41]

E Scan AV (India) suffered its second supply-chain compromise in under two years, distributing malware via its own update channel.
The malware disabled future updates by editing the hosts file, making remediation difficult.
Technical details: Malware named “reload.exe,” delivered via infected update server, persisted via scheduled tasks and obfuscated code.
Steve’s advice: “Neither Leo nor I use any third-party anti-malware add-on and whenever I'm asked I recommend against it...Windows now brings its own [AV]."
Memorable quote (Steve): “If [AV] goes bad, you’re in deep trouble.”

5. Apple to Obscure Precise Cellular Location (iOS 26.3 Preview)

[55:05-62:59]

Upcoming iOS feature, “Limit Precise Location from Cellular Networks,” will deliberately fuzz the device’s reported location, unless required for emergencies.
Only “participating cellular carriers” will honor the new privacy setting (as of now, only Boost Mobile in the US).
Leo: “Their excuse will be, ‘Oh, it’s how we improve our service...’ Yeah, it’s for your benefit.”

6. Feature: AI Bug Bounties Gone Wild, Curl Cancels Bounty, & AI’s Security Promise

[63:17-109:00]

a) Curl Abandons Its Bug Bounty

[68:09-87:55]

Curl’s bug bounty program was cancelled due to an “onslaught of AI-generated slop” (flood of bogus bug reports, mostly by AI or low-effort actors looking for bounties).
Daniel Stenberg (Curl creator) responded aggressively: “We will ban you and ridicule you in public if you waste our time on crap reports.”
Bug bounties are critical for open-source security; killing them hurts real research.
Leo: “I think the solution...is not to turn the bug bounty off but to get some help...Ridicule is absolutely useless."

b) AI Security Breakthrough at OpenSSL

[89:08-109:00]

New AI company “Aisle” used automated AI to discover all 12 new zero-day vulnerabilities in OpenSSL's latest patch, as well as most of the previous year’s CVEs (13 out of 14 for 2025).
Aisle's system performs full-loop: scanning, triage, exploit construction, patch generation, and patch verification, with minimal human review.
The same AI found five new CVEs in curl (for which it received no bounty).
Steve: “It really means something that AI managed to find 15 out of 16 CVEs in a system as carefully scrutinized as OpenSSL...I now believe there’s a real possibility that we’ll live to see the day when software bugs are eliminated.”
Leo: “It creates roles...a mayor, refinery, witness...They check each other. This is happening so fast...”
Future: Software writing, bug fixing, and triage could become “hyper-personalized and disposable.”

7. Errata & Listener Feedback

[110:17-128:44]

Ireland’s surveillance bill: Corrections from a listener/translator. The wiretap law discussed last week has NOT passed or even been drafted—a “general scheme” was merely announced.
Gemini AI recommends Steve’s DNS Benchmark: A listener shares that Google’s Gemini suggested Steve’s tool for DNS performance comparison.
Gemini deletes user files: Chilling story of Visual Studio Code’s Gemini agent deleting all files in a project—AI apologies not accepted.
- Gemini’s response (humor): “That sounds incredibly frustrating and definitely not the kind of assistance anyone wants from an AI.”
Security concern: Windows’ shared clipboard can be abused for social engineering by malicious web scripts; Microsoft needs to patch this vector.

8. Feature: MongoDB’s “Skill Bar to the Floor” – Script Kiddies Mass Exploit

[138:13–167:21]

Dark Web post (Quote at 142:08):

“This isn’t some complicated tech heavy process. You don’t need to know coding, hacking or anything technical. If you can copy, paste and click, you’re good to go. ... Some businesses leave their [MongoDB] databases completely unprotected, wide open on the Internet. ... Once you’re in, you can delete their data, wipe it all clean, then leave a ransom note telling them to pay Bitcoin if they want their data back.”
Steve: “I titled today’s podcast ‘Mongo’s Too Easy’ because MongoDB’s continuing exploitation is now in the hands of the script kiddies.”
The attack method: automated scripts scan for exposed, unauthenticated MongoDB instances (often using default Docker images with no security), then wipe them, replacing with a ransom note. No data is ever restored, even if ransom is paid.
Flare Systems research: 200,000 publicly discoverable MongoDB servers; 3,100 fully exposed, and nearly half already wiped with ransom notes (typically $500–$600 in Bitcoin).
One Bitcoin wallet used in 98% of observed ransom notes—indicating a single unsophisticated but highly efficient threat actor/bot.
Steve’s two main points:
1. “The only servers that should ever be exposed to the internet are those meant to be accessed anonymously by everyone...Nothing that requires a logon should be publicly exposed.”
2. “AI may help us fix code bugs, but it can’t make us humans any less dumb.” Most failures are due to lazy configuration and unsafe defaults, not clever exploits.

Notable Quotes & Memorable Moments

On AI Security Research and Software’s Future:

“I now believe there’s a very real possibility that many or most of us will live to see the day when software bugs are eliminated.” (Steve, [104:32])
“It’s not work. ... I love to code, too. And I will always code. ... Now it’s something we do for fun, not because we have to.” (Leo, [110:03])

On Bug Bounty AI Slop:

“We will ban you and ridicule you in public if you waste our time on crap reports.” (Daniel Stenberg via Steve, [86:30])
“I don’t think ridicule is going to do anything...I think to be it would be fairly easy to filter out these bad reports...We shouldn’t throw the baby out with the bathwater here.” (Leo, [87:01])

On MongoDB:

“Businesses are careless and leave their Mongo Express control panels exposed online with no passwords. ... If you can copy, paste and click, you’re good to go.” (Dark Web posting, [142:10])
“Attackers do not rely on sophisticated exploits or zero-days. Instead, they abuse insecure defaults.” (Steve, [166:20])

Noteworthy Timestamps

| Segment | Timestamp (MM:SS) | |------------------------------------------------|---------------------| | AI-induced software market crash | 16:23–19:41 | | Picture of the week: Data breach age check | 21:51–24:13 | | Notepad++ supply chain attack | 24:23–30:58 | | Antivirus update infects users | 30:59–50:41 | | Apple iOS 26.3 location fuzzing | 55:05–62:59 | | Curl bug bounty collapse, AI slop | 68:09–87:55 | | AI bug-finding in OpenSSL (Aisle) | 89:08–109:00 | | Errata/listener feedback/Microsoft clipboard | 110:17–128:44 | | MongoDB script kiddies’ method | 138:13–167:21 |

Conclusion

Steve and Leo warn that while AI rapidly advances “elite” bug discovery and code remediation—making the dream of zero-day-free software possible—humans’ tendency to deploy unsafe defaults and neglect basic network hygiene means low-end, devastating attacks will persist. Most current exploits, like the ongoing MongoDB ransomware pandemic, require no sophistication at all—just poor configuration and inattention. Meanwhile, incentives for real vulnerability research (bug bounties) are being suffocated by AI-generated spam, jeopardizing open-source security unless new vetting methods are put in place.

Perhaps, as Steve says, AI will soon rid us of bugs in code. But only we can rid ourselves of bugs in human behavior.

For more info, show notes, and transcripts: GRC.com
Contact Steve: steve@grc.com
Contact Leo: leo@twit.tv

Security Now, Episode 1063: "Mongo's Too Easy - AI Bug Bounties Gone Wild"

Date: February 4, 2026
Hosts: Steve Gibson & Leo Laporte

Main Theme / Purpose

This week, Steve Gibson and Leo Laporte dive deep into two urgent cybersecurity topics:

How the proliferation of AI is both revolutionizing and destabilizing bug bounty systems (“AI bug bounties gone wild”)
The ongoing mess of MongoDB’s insecure default settings, which have lowered the hacking bar “to the floor” and invited a wave of unsophisticated but profitable ransomware campaigns.

Key Discussion Points & Insights

1. Breaking News: The AI Disruption Hits the Stock Market

[16:23-19:41]

The Wall Street Journal reports a sharp drop in software companies’ stock, triggered by fears that rapid advances in AI will “supplant software” and undercut markets for products from companies like Adobe and Salesforce.
Anthropic’s new generative AI tools for legal drafting in their Cowork Assistant prompted mass sell-offs in companies offering legal software.
Steve: “It’s what it means is expanding the security boundary...much more content within a much larger boundary.”
Leo: “There have to be AI firewalls. There have to be ways of letting an AI go out and look at the world without exfiltrating your company’s private documents.”

2. Picture of the Week: Age Verification, Breaches, and Humor

[21:51-24:13]

Steve and Leo showcase a satirical web service that lets you “verify your age” by either taking a selfie or searching for your ID in existing data breaches.
Steve: “It's great humor and it just suggests... breaches are so rampant that why are we even being asked to identify ourselves?”
Discussion of the absurdity and pervasiveness of credential breaches.

3. Notepad++ Supply-Chain Attack

[24:23-30:58]

Summary: Notepad++ (hugely popular Windows text editor) was the target of a “highly sophisticated, state-level” supply-chain attack, believed to be by Chinese actors, via its update mechanism. The attack was targeted (mostly Asia), likely not widespread, but Steve had been warning of this scenario due to Notepad++’s frequent updates.
Steve: “These Chinese state-level bad guys...see that Notepad++ is updating itself all the time... ‘Hey, that’s a target!’”
Advice: Disable automatic updates once you’re running a stable version unless you truly need something new.

4. Antivirus Infects Its Own Users

[30:59-50:41]

E Scan AV (India) suffered its second supply-chain compromise in under two years, distributing malware via its own update channel.
The malware disabled future updates by editing the hosts file, making remediation difficult.
Technical details: Malware named “reload.exe,” delivered via infected update server, persisted via scheduled tasks and obfuscated code.
Steve’s advice: “Neither Leo nor I use any third-party anti-malware add-on and whenever I'm asked I recommend against it...Windows now brings its own [AV]."
Memorable quote (Steve): “If [AV] goes bad, you’re in deep trouble.”

5. Apple to Obscure Precise Cellular Location (iOS 26.3 Preview)

[55:05-62:59]

Upcoming iOS feature, “Limit Precise Location from Cellular Networks,” will deliberately fuzz the device’s reported location, unless required for emergencies.
Only “participating cellular carriers” will honor the new privacy setting (as of now, only Boost Mobile in the US).
Leo: “Their excuse will be, ‘Oh, it’s how we improve our service...’ Yeah, it’s for your benefit.”

6. Feature: AI Bug Bounties Gone Wild, Curl Cancels Bounty, & AI’s Security Promise

[63:17-109:00]

a) Curl Abandons Its Bug Bounty

[68:09-87:55]

Curl’s bug bounty program was cancelled due to an “onslaught of AI-generated slop” (flood of bogus bug reports, mostly by AI or low-effort actors looking for bounties).
Daniel Stenberg (Curl creator) responded aggressively: “We will ban you and ridicule you in public if you waste our time on crap reports.”
Bug bounties are critical for open-source security; killing them hurts real research.
Leo: “I think the solution...is not to turn the bug bounty off but to get some help...Ridicule is absolutely useless."

b) AI Security Breakthrough at OpenSSL

[89:08-109:00]

New AI company “Aisle” used automated AI to discover all 12 new zero-day vulnerabilities in OpenSSL's latest patch, as well as most of the previous year’s CVEs (13 out of 14 for 2025).
Aisle's system performs full-loop: scanning, triage, exploit construction, patch generation, and patch verification, with minimal human review.
The same AI found five new CVEs in curl (for which it received no bounty).
Steve: “It really means something that AI managed to find 15 out of 16 CVEs in a system as carefully scrutinized as OpenSSL...I now believe there’s a real possibility that we’ll live to see the day when software bugs are eliminated.”
Leo: “It creates roles...a mayor, refinery, witness...They check each other. This is happening so fast...”
Future: Software writing, bug fixing, and triage could become “hyper-personalized and disposable.”

7. Errata & Listener Feedback

[110:17-128:44]

Ireland’s surveillance bill: Corrections from a listener/translator. The wiretap law discussed last week has NOT passed or even been drafted—a “general scheme” was merely announced.
Gemini AI recommends Steve’s DNS Benchmark: A listener shares that Google’s Gemini suggested Steve’s tool for DNS performance comparison.
Gemini deletes user files: Chilling story of Visual Studio Code’s Gemini agent deleting all files in a project—AI apologies not accepted.
- Gemini’s response (humor): “That sounds incredibly frustrating and definitely not the kind of assistance anyone wants from an AI.”
Security concern: Windows’ shared clipboard can be abused for social engineering by malicious web scripts; Microsoft needs to patch this vector.

8. Feature: MongoDB’s “Skill Bar to the Floor” – Script Kiddies Mass Exploit

[138:13–167:21]

Dark Web post (Quote at 142:08):

“This isn’t some complicated tech heavy process. You don’t need to know coding, hacking or anything technical. If you can copy, paste and click, you’re good to go. ... Some businesses leave their [MongoDB] databases completely unprotected, wide open on the Internet. ... Once you’re in, you can delete their data, wipe it all clean, then leave a ransom note telling them to pay Bitcoin if they want their data back.”
Steve: “I titled today’s podcast ‘Mongo’s Too Easy’ because MongoDB’s continuing exploitation is now in the hands of the script kiddies.”
The attack method: automated scripts scan for exposed, unauthenticated MongoDB instances (often using default Docker images with no security), then wipe them, replacing with a ransom note. No data is ever restored, even if ransom is paid.
Flare Systems research: 200,000 publicly discoverable MongoDB servers; 3,100 fully exposed, and nearly half already wiped with ransom notes (typically $500–$600 in Bitcoin).
One Bitcoin wallet used in 98% of observed ransom notes—indicating a single unsophisticated but highly efficient threat actor/bot.
Steve’s two main points:
1. “The only servers that should ever be exposed to the internet are those meant to be accessed anonymously by everyone...Nothing that requires a logon should be publicly exposed.”
2. “AI may help us fix code bugs, but it can’t make us humans any less dumb.” Most failures are due to lazy configuration and unsafe defaults, not clever exploits.

Notable Quotes & Memorable Moments

On AI Security Research and Software’s Future:

“I now believe there’s a very real possibility that many or most of us will live to see the day when software bugs are eliminated.” (Steve, [104:32])
“It’s not work. ... I love to code, too. And I will always code. ... Now it’s something we do for fun, not because we have to.” (Leo, [110:03])

On Bug Bounty AI Slop:

“We will ban you and ridicule you in public if you waste our time on crap reports.” (Daniel Stenberg via Steve, [86:30])
“I don’t think ridicule is going to do anything...I think to be it would be fairly easy to filter out these bad reports...We shouldn’t throw the baby out with the bathwater here.” (Leo, [87:01])

On MongoDB:

“Businesses are careless and leave their Mongo Express control panels exposed online with no passwords. ... If you can copy, paste and click, you’re good to go.” (Dark Web posting, [142:10])
“Attackers do not rely on sophisticated exploits or zero-days. Instead, they abuse insecure defaults.” (Steve, [166:20])

Noteworthy Timestamps

Conclusion

Perhaps, as Steve says, AI will soon rid us of bugs in code. But only we can rid ourselves of bugs in human behavior.

For more info, show notes, and transcripts: GRC.com
Contact Steve: steve@grc.com
Contact Leo: leo@twit.tv

wavePod

SN 1063: Mongo's Too Easy - AI Bug Bounties Gone Wild

Powered by Wave AI

Summary

Security Now, Episode 1063: "Mongo's Too Easy - AI Bug Bounties Gone Wild"

Main Theme / Purpose

Key Discussion Points & Insights

1. Breaking News: The AI Disruption Hits the Stock Market

2. Picture of the Week: Age Verification, Breaches, and Humor

3. Notepad++ Supply-Chain Attack

4. Antivirus Infects Its Own Users

5. Apple to Obscure Precise Cellular Location (iOS 26.3 Preview)

6. Feature: AI Bug Bounties Gone Wild, Curl Cancels Bounty, & AI’s Security Promise

a) Curl Abandons Its Bug Bounty

b) AI Security Breakthrough at OpenSSL

7. Errata & Listener Feedback

8. Feature: MongoDB’s “Skill Bar to the Floor” – Script Kiddies Mass Exploit

Notable Quotes & Memorable Moments

Noteworthy Timestamps

Conclusion

Summary

Security Now, Episode 1063: "Mongo's Too Easy - AI Bug Bounties Gone Wild"

Main Theme / Purpose

Key Discussion Points & Insights

1. Breaking News: The AI Disruption Hits the Stock Market

2. Picture of the Week: Age Verification, Breaches, and Humor

3. Notepad++ Supply-Chain Attack

4. Antivirus Infects Its Own Users

5. Apple to Obscure Precise Cellular Location (iOS 26.3 Preview)

6. Feature: AI Bug Bounties Gone Wild, Curl Cancels Bounty, & AI’s Security Promise

a) Curl Abandons Its Bug Bounty

b) AI Security Breakthrough at OpenSSL

7. Errata & Listener Feedback

8. Feature: MongoDB’s “Skill Bar to the Floor” – Script Kiddies Mass Exploit

Notable Quotes & Memorable Moments

Noteworthy Timestamps

Conclusion