Why You Should Not Blindly Trust ChatGPT and Its Plug-ins

Over the weekend we saw an immediate rise In the rapidly evolving world of artificial intelligence (AI), with the introduction of OpenAI ChatGPT plug-ins which have become increasingly popular for their ability to process and generate information quickly. However, my recent experiments with ChatGPT regarding cybersecurity vulnerability data have revealed significant limitations, emphasizing the need for caution and verification when using any of these tools.

The Experiment: Querying Vulnerability Data

I conducted a series of experiments to test ChatGPT's accuracy in providing EPSS (Exploit Prediction Scoring System) score trends for Adobe Flash Player vulnerabilities using new vulnerability plug-ins that were released over the last couple of days. The EPSS scores are vital in assessing the likelihood of a software vulnerability being exploited, making accurate data essential in cybersecurity.

The Initial Prompt and Misleading Response

My initial prompt requested EPSS score trends for Adobe Flash Player. ChatGPT's response detailed the scores, percentiles, and dates of a specific CVE (CVE-2023-2023). However, this CVE was incorrectly associated with Adobe Flash Player when it was actually related to WordPress, demonstrating a critical error in the AI's information processing.

The Alternative Prompt: A More Targeted Approach

Seeking a more comprehensive analysis, I altered my prompt to inquire about trends across all CVEs associated with Adobe Flash. ChatGPT's response here was more cautious, stating it couldn't automatically retrieve and analyze EPSS scores for all related CVEs. This response, while not misleading, showcased another limitation: the inability to process complex, multifaceted queries.

The Inconsistent Responses

Repeating the original prompt yielded a completely different answer, focusing on a different CVE (CVE-2021-21092) related to Adobe, but not specifically to Flash Player. This inconsistency in responses further illustrates the challenges AI faces in understanding and accurately responding to specialized queries.The Implications of Inconsistency and InaccuracyThese experiences with ChatGPT highlight several critical issues:

1. Misleading Information: Incorrectly associating CVEs with the wrong software can lead to misguided cybersecurity strategies.

2. Limited Analytical Capacity: The inability to perform comprehensive, multi-faceted data analyses limits the tool's usefulness in specialized fields.

3. Inconsistent Responses: Varying answers to the same query undermine the reliability and credibility of the AI.

The Need for Caution and Verification These limitations underscore the importance of approaching AI tools like ChatGPT with skepticism, especially in specialized fields like cybersecurity. While AI can provide quick answers, it's difficult to depend on artificial intelligence where the data and training of the model for your use case can likely not be trusted. This demonstrates the importance in having confidence in the datasets being used and how the AI model is trained. Users must be default to zero trust in the output, cross-checking AI-provided information with reliable sources.