Add precautionary language about AI reports to security faq
Change-Id: Iff8d6be2eabcf42cd5f03e11284f1da3992dddcb
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6509349
Reviewed-by: Amy Ressler <[email protected]>
Commit-Queue: Alex Gough <[email protected]>
Cr-Commit-Position: refs/heads/main@{#1458235}
diff --git a/docs/security/faq.md b/docs/security/faq.md
index 260d793..1791b63 100644
--- a/docs/security/faq.md
+++ b/docs/security/faq.md
@@ -695,6 +695,36 @@
If you believe Chrome's copies of these lists are notably out-of-date, we are
happy to field bug reports but we do not consider this to be a vulnerability.
+## AI Generated Vulnerability reports
+
+<a name="TOC-should-i-ask-an-ai-to-generate-a-vulnerability-report-for-chrome"></a>
+### Should I ask an AI to Generate a Vulnerability Report for Chrome?
+
+Simply asking an AI to identify a bug report in Chrome is unlikely to yield a
+valid report. Before submitting a report generated by AI please ensure you have
+done enough human work to validate that any issue is (a) in our threat model,
+and (b) reachable in Chrome by constructing a POC, generating an ASAN trace,
+recording the bug reproducing, or performing your own debugging.
+
+AI is prone to hallucinations when asked to find security bugs and can generate
+reports that repeat previously fixed issues, or describe general classes of bugs
+without discovering a specific actionable issue. As the reports can be lengthy,
+they take a lot of time for our security experts to process and understand
+before closing. Submitting reports without doing some work yourself to validate
+that an issue is actually present in Chrome harms our users by wasting the time
+and resources of the Chrome security team.
+
+Submitting multiple low-quality AI generated reports will be treated as spamming
+and has lead to accounts being banned from our reporting systems.
+
+AI can be used to accelerate developer workflows and may be useful when
+understanding code or translating from one language to another. AI tools can be
+helpful when searching for security vulnerabilities in Chrome, but remember that
+additional work must be done to ensure that vulnerability reports are brief,
+actionable, and reproducible. These must meet the prerequisites of a [baseline
+security bug report](https://g.co/chrome/vrp#report-quality) before we can pass
+them to teams to be fixed.
+
## Certificates & Connection Indicators
<a name="TOC-Where-are-the-security-indicators-located-in-the-browser-window-"></a>
