is it just me, or does the a. i. companies’ recent focus on automating exploit finding read as an “engage with us Or Else” ploy against the projects that wouldn’t take generated code contributions but can’t ignore security issues

Reply to is it just me, or does the a. i. companies’ recent focus on automating exploit finding read as an “engage with us Or Else” ploy against the projects that wouldn’t take generated code contributions but can’t ignore security issues on Wed, 08 Apr 2026 13:30:27 GMT

tef@mastodon.social — Wed, 08 Apr 2026 13:30:27 GMT

to be clear, if you believe openbsd has a lower defect rather than any other of the bsds, you're absolutely being taken for a ride

Reply to is it just me, or does the a. i. companies’ recent focus on automating exploit finding read as an “engage with us Or Else” ploy against the projects that wouldn’t take generated code contributions but can’t ignore security issues on Wed, 08 Apr 2026 13:27:29 GMT

tef@mastodon.social — Wed, 08 Apr 2026 13:27:29 GMT

@pozorvlak @joe alas, "secure programing in C" turns out to be more than just yelling at linux developers

Reply to is it just me, or does the a. i. companies’ recent focus on automating exploit finding read as an “engage with us Or Else” ploy against the projects that wouldn’t take generated code contributions but can’t ignore security issues on Wed, 08 Apr 2026 09:24:09 GMT

pozorvlak@mathstodon.xyz — Wed, 08 Apr 2026 09:24:09 GMT

@tef @joe sure, but *every* new analysis technique finds a whole bunch of bugs at first and then levels off after a while. That said, I'm genuinely impressed at some of the things they've found - a 27yo 0day in OpenBSD? Wild.

Reply to is it just me, or does the a. i. companies’ recent focus on automating exploit finding read as an “engage with us Or Else” ploy against the projects that wouldn’t take generated code contributions but can’t ignore security issues on Wed, 08 Apr 2026 03:40:57 GMT

fay59@tech.lgbt — Wed, 08 Apr 2026 03:40:57 GMT

@joe it’s finding real issues. Anything that finds real issues and costs money will feel like an “engage with us Or Else” situation

Reply to is it just me, or does the a. i. companies’ recent focus on automating exploit finding read as an “engage with us Or Else” ploy against the projects that wouldn’t take generated code contributions but can’t ignore security issues on Wed, 08 Apr 2026 03:12:21 GMT

fugueish@wandering.shop — Wed, 08 Apr 2026 03:12:21 GMT

@tef @joe Which is: not fully true! Defenders get to define the territory, including audit and observability. Finding a vuln, developing an exploit — way too easy. Making it operational and maintaining the capability over time: somewhat to substantially more fraught. (Still way, way too easy, of course)

Reply to is it just me, or does the a. i. companies’ recent focus on automating exploit finding read as an “engage with us Or Else” ploy against the projects that wouldn’t take generated code contributions but can’t ignore security issues on Wed, 08 Apr 2026 03:09:33 GMT

tef@mastodon.social — Wed, 08 Apr 2026 03:09:33 GMT

@fugueish @joe alas "they only have to get lucky once, we have to get lucky every time" is as true as it ever was

Reply to is it just me, or does the a. i. companies’ recent focus on automating exploit finding read as an “engage with us Or Else” ploy against the projects that wouldn’t take generated code contributions but can’t ignore security issues on Wed, 08 Apr 2026 02:30:35 GMT

fugueish@wandering.shop — Wed, 08 Apr 2026 02:30:35 GMT

@tef @joe I get you, and it's a reasonable note! But also, fuzzers do keep working (and we keep getting surprised all over again when someone makes a fuzzer that can reach a previously unreachable area).

Reply to is it just me, or does the a. i. companies’ recent focus on automating exploit finding read as an “engage with us Or Else” ploy against the projects that wouldn’t take generated code contributions but can’t ignore security issues on Wed, 08 Apr 2026 02:19:36 GMT

sayrer@mastodon.social — Wed, 08 Apr 2026 02:19:36 GMT

@joe https://gist.github.com/sayrer/659bd4098045164ad9a003df449b6a81

Reply to is it just me, or does the a. i. companies’ recent focus on automating exploit finding read as an “engage with us Or Else” ploy against the projects that wouldn’t take generated code contributions but can’t ignore security issues on Wed, 08 Apr 2026 02:18:50 GMT

tef@mastodon.social — Wed, 08 Apr 2026 02:18:50 GMT

@fugueish @joe i'm not saying "it doesn't work" but "beware the low hanging fruit giving you false estimates about success rate"

Reply to is it just me, or does the a. i. companies’ recent focus on automating exploit finding read as an “engage with us Or Else” ploy against the projects that wouldn’t take generated code contributions but can’t ignore security issues on Wed, 08 Apr 2026 02:16:32 GMT

tef@mastodon.social — Wed, 08 Apr 2026 02:16:32 GMT

@fugueish @joe this was true of fuzzing before but i admit it is far more subsidized now

Reply to is it just me, or does the a. i. companies’ recent focus on automating exploit finding read as an “engage with us Or Else” ploy against the projects that wouldn’t take generated code contributions but can’t ignore security issues on Wed, 08 Apr 2026 02:01:26 GMT

migratory@jorts.horse — Wed, 08 Apr 2026 02:01:26 GMT

@joe the "we found a local privesc in Linux" seemed particularly silly to tout... we have local privesc in Linux at home

Reply to is it just me, or does the a. i. companies’ recent focus on automating exploit finding read as an “engage with us Or Else” ploy against the projects that wouldn’t take generated code contributions but can’t ignore security issues on Wed, 08 Apr 2026 02:00:48 GMT

aburka@hachyderm.io — Wed, 08 Apr 2026 02:00:48 GMT

@joe it absolutely comes across as a protection racket

Reply to is it just me, or does the a. i. companies’ recent focus on automating exploit finding read as an “engage with us Or Else” ploy against the projects that wouldn’t take generated code contributions but can’t ignore security issues on Wed, 08 Apr 2026 02:00:26 GMT

fugueish@wandering.shop — Wed, 08 Apr 2026 02:00:26 GMT

@tef @joe They seem to avoid talking about solid defensive remedies (some of which LLMs likely will also be able to do well, such as translation and theorem proving — there are already results), for some reason. Until that strong medicine is applied, I think they'll continue producing new bugs and new kinds of bugs. Underestimating them is unwise for defenders. Keep in mind also they are military contractors.

Reply to is it just me, or does the a. i. companies’ recent focus on automating exploit finding read as an “engage with us Or Else” ploy against the projects that wouldn’t take generated code contributions but can’t ignore security issues on Wed, 08 Apr 2026 01:47:19 GMT

tef@mastodon.social — Wed, 08 Apr 2026 01:47:19 GMT

@joe it's more "this is actually a thing it can do" i feel as fuzzing does produce results

but, well, after the burst of low hanging fruit, i don't expect a regular crop of bugs