I’m seeing a lot of denial and logical fallacies on Mastodon about LLM capability to find security bugs.

@gabrielesvelto @hsivonen yep this is still largely subsidized by cheap inference and essentially free training (for the consumer). I don’t bet on it staying this cheap.

@gabrielesvelto @hsivonen not really. Some bugs are truly hard to find with fuzzing and are more easily identified by seeing codesmell and trying to trace it back to user. Reading and remembering code is limited by brain power / will power. As sad as it is: LLMs scale better here.

@jann I got into a (mild) argument multiple times with our localizers and gave up. I disagree with them but I also don’t have to live with the feedback they get elsewhere. Firefox in English it is…

@gaz not CSS-only as I originally thought. But still pretty cool. I think doing THIS and then going CSS-only is the next frontier

@gaz Have you seen this? You must see this https://front-end.social/@html5test/116301798349200500 first response also contains link to how he built it

@filippo I like their aggressive timeline, but I'm not sure there's any specific argument or reason that explains why it should be expedited. Am I missing something?

@dgl @sash `<svg onload>` works in every browser and is shorter :). But maybe you don’t want your PoC to depend on the goodwill of a third party. And not everyone has a short domain.

@kuketzblog Danke für die Empfehlung