The system card unfortunately only refers to this [0] blog post and doesn't go into any more detail. In the blog post Anthropic researchers claim: "So far, we've found and validated more than 500 high-severity vulnerabilities".
The three examples given include two Buffer Overflows which could very well be cherrypicked. It's hard to evaluate if these vulns are actually "hard to find". I'd be interested to see the full list of CVEs and CVSS ratings to actually get an idea how good these findings are.
Given the bogus claims [1] around GenAI and security, we should be very skeptical around these news.
It does if the person making the statement has a track record, proven expertise on the topic - and in this case… it actually may mean something to other people
Yes, as we all know that unsourced unsubstantiated statements are the best way to verify claims regarding engineering practices. Especially when said person has a financial stake in the outcomes of said claims.
I have zero financial stake in Anthropic and more broadly my career is more threatened by LLM-assisted vulnerability research (something I do not personally do serious work on) than it is aided by it, but I understand that the first principal component of casual skepticism on HN is "must be a conflict of interest".
How is this whole comment chain not a textbook case of "argument from authority"? I claim A, a guys says. Why would I trust you somebody else responds. Well he's pretty well known on the internet forum we're all on, the third guy says, adding nothing to the conversation.
It is an argument of authority but that's not always a bad thing. I think it's a bit out of keeping with the supposed point of this site (ie intellectual inquiry) but when it comes to rapidly evolving technologies like this one it can still add value on the whole.
We saw quite a number of previously respectful members get a glaze over their eyes with LLMs. If they also work for the company making claims, this makes it even more untrustworthy
and its ridiculous that someone's comment got flagged for not worshiping at the alter of tptacek. they weren't even particularly rude about it.
i guarantee if i said what tptacek said, and someone replied with exactly what malfist said, they would not have been flagged. i probably would have been downvoted.
why appeal to authority is totally cool as long as tptacek is the authority is way fucking beyond me. one of those HN quirks. HN people fucking love tptacek and take his word as gospel.
I wasn't at all saying that points = credibility. I was saying that points = not unknown. Enough people around here know who he is, and if he didn't have credibility on this topic he'd be getting down voted instead of voted to the top.
Is that meaningfully different? If you read malfist's point as "tptacek's point isn't valuable because it's from some random person on the internet" then the problem is "random person on the internet" = "unknown credentials". In group, out group, notoriety, points, whatever are not the issue.
I'll put it this way, I don't give a shit about Robert Downy Jr's opinion on AI technology. His notoriety "means nothing to anybody". But instead, I sure do care about Hinton's (even if I disagree with him).
malfist asked why they should care. You said points. You should have said "tptacek is known to do security work, see his profile". Done. Much more direct. Answers the actual question. Instead you pointed to points, which only makes him "not a stranger" at best but still doesn't answer the question. Intended or not "you should believe tptacek because he has a lot of points" is a reasonable interpretation of what you said.
Pointing to the profile leads someone on the path of understanding why to trust tptacek on security issues. Pointing to his points on HN explains why lots of users here already know that he's credible in this area and will recognize his username and upvote his comments on this topic and know better than to blindly accuse him of being a just a random person on the internet.
The problematic, ignorant comment that has been flagged asserted that what tptacek says "means nothing to anybody else", which is a very wrong statement about his role in the HN community.
I don't get your argument. That everyone should know and recognize our community celebrities? That seems really out of touch. Given the age of their profile I'm assuming they just spend more time touching grass.
Either way I'm not sure what your point is. You didn't answer their question. The one you replied to. I you're in defensive mode but no need to defend, I'm not going to respond anymore.
I continually think it's amazing that every form of cynical comment on the internet consists of incorrectly claiming that someone is secretly making money from something.
(Most common form of this is misreading opensecrets and using it to claim that some corporation is donating to a political campaign.)
I'm interested in whether there's a well-known vulnerability researcher/exploit developer beating the drum that LLMs are overblown for this application. All I see is the opposite thing. A year or so ago I arrived at the conclusion that if I was going to stay in software security, I was going to have to bring myself up to speed with LLMs. At the time I thought that was a distinctive insight, but, no, if anything, I was 6-9 months behind everybody else in my field about it.
There's a lot of vuln researchers out there. Someone's gotta be making the case against. Where are they?
From what I can see, vulnerability research combines many of the attributes that make problems especially amenable to LLM loop solutions: huge corpus of operationalizable prior art, heavily pattern dependent, simple closed loops, forward progress with dumb stimulus/response tooling, lots of search problems.
Of course it works. Why would anybody think otherwise?
You can tell you're in trouble on this thread when everybody starts bringing up the curl bug bounty. I don't know if this is surprising news for people who don't keep up with vuln research, but Daniel Stenberg's curl bug bounty has never been where all the action has been at in vuln research. What, a public bug bounty attracted an overwhelming amount of slop? Quelle surprise! Bug bounties have attracted slop for so long before mainstream LLMs existed they might well have been the inspiration for slop itself.
Also, a very useful component of a mental model about vulnerability research that a lot of people seem to lack (not just about AI, but in all sorts of other settings): money buys vulnerability research outcomes. Anthropic has eighteen squijillion dollars. Obviously, they have serious vuln researchers. Vuln research outcomes are in the model cards for OpenAI and Anthropic.
> You can tell you're in trouble on this thread when everybody starts bringing up the curl bug bounty. I don't know if this is surprising news for people who don't keep up with vuln research, but Daniel Stenberg's curl bug bounty has never been where all the action has been at in vuln research. What, a public bug bounty attracted an overwhelming amount of slop? Quelle surprise! Bug bounties have attracted slop for so long before mainstream LLMs existed they might well have been the inspiration for slop itself.
Yeah, that's just media reporting for you. As anyone who ever administered a bug bounty programme on regular sites (h1, bugcrowd, etc) can tell you, there was an absolute deluge of slop for years before LLMs came to the scene. It was just manual slop (by manual I mean running wapiti and c/p the reports to h1).
I used to answer security vulnerability emails to Rust. We'd regularly get "someone ran an automated tool and reports something that's not real." Like, complaints about CORS settings on rust-lang.org that would let people steal cookies. The website does not use cookies.
I wonder if it's gotten actively worse these days. But the newness would be the scale, not the quality itself.
I did some triage work for clients at Latacora and I would rather deal with LLM slop than argue with another person 10 time zones away trying to convince me that something they're doing in the Chrome Inspector constitutes a zero-day. At least there's a possibility that LLM slop might contain some information. You spent tokens on it!
> I was going to have to bring myself up to speed with LLMs
What did you do beyond playing around with them?
> Of course it works. Why would anybody think otherwise?
Sam Altman is a liar. The folks pitching AI as an investment were previously flinging SPACs and crypto. (And can usually speak to anything technical about AI as competently as battery chemistry or Merkle trees.) Copilot and Siri overpromised and underdelivered. Vibe coders are mostly idiots.
The bar for believability in AI is about as high as its frontier's actual achievements.
I still haven't worked out for myself where my career is going with respect to this stuff. I have like 30% of a prototype/POC active testing agent (basically, Burp Suite but as an agent), but I haven't had time to move it forward over the last couple months.
In the intervening time, one of the beliefs I've acquired is that the gap between effective use of models and marginal use is asking for ambitious enough tasks, and that I'm generally hamstrung by knowing just enough about anything they'd build to slow everything down. In that light, I think doing an agent to automate the kind of bugfinding Burp Suite does is probably smallball.
Many years ago, a former collaborator of mine found a bunch of video driver vulnerabilities by using QEMU as a testing and fault injection harness. That kind of thing is more interesting to me now. I once did a project evaluating an embedded OS where the modality was "port all the interesting code from the kernel into Linux userland processes and test them directly". That kind of thing seems especially interesting to me now too.
So what Anthropic are reporting here is not unprecedented. The main thing they are claiming is an improvement in the amount of findings. I don't see a reason to be overly skeptical.
I'm not sure the volume here is particularly different to past examples. I think the main difference is that there was no custom harness, tooling or fine-tuning. It's just the out of the box capabilities for a generally available model and a generic agent.
The Ghostscript one is interesting in terms of specific-vs-general effectiveness:
---
> Claude initially went down several dead ends when searching for a vulnerability—both attempting to fuzz the code, and, after this failed, attempting manual analysis. Neither of these methods yielded any significant findings.
...
> "The commit shows it's adding stack bounds checking - this suggests there was a vulnerability before this check was added. … If this commit adds bounds checking, then the code before this commit was vulnerable … So to trigger the vulnerability, I would need to test against a version of the code before this fix was applied."
...
> "Let me check if maybe the checks are incomplete or there's another code path. Let me look at the other caller in gdevpsfx.c … Aha! This is very interesting! In gdevpsfx.c, the call to gs_type1_blend at line 292 does NOT have the bounds checking that was added in gstype1.c."
---
It's attempt to analyze the code failed but when it saw a concrete example of "in the history, someone added bounds checking" it did a "I wonder if they did it everywhere else for this func call" pass.
So after it considered that function based on the commit history it found something that it didn't find from its initial fuzzing and code-analysis open-ended search.
As someone who still reads the code that Claude writes, this sort of "big picture miss, small picture excellence" is not very surprising or new. It's interesting to think about what it would take to do that precise digging across a whole codebase; especially if it needs some sort of modularization/summarization of context vs trying to digest tens of million lines at once.
I used Claude Code to debug a weird interaction in a NixOS config. Ever since, I'm more a believer in Artificial General Patience than Artificial General Intelligence.
> It's hard to evaluate if these vulns are actually "hard to find".
Can we stop doing that?
I know it's not the same but it sounds like "We don't know if that job that the woman supposedly successfully finished was all that hard." implying that if a woman did something, it surely must have been easy.
If you know it's easy, say that it was easy and why. Don't use your lack of knowledge or competence to create empty critique founded solely on doubt.
What if the woman in question happens to have a history of hamming up her accomplishments?
Given the context I'd say it's reasonable to question the value of the output. It falls to the other party to demonstrate that this is anything more than the usual slop.
We're discussing a project led by actual vulnerability researchers, not random people in Indonesia hoping to score $50 by cajoling maintainers about atyle nits.
The first three authors, who are asterisked for "equal contribution", appear to work for Anthropic. That would imply an interest in making Anthropic's LLM products valuable.
The notion that a vulnerability researcher employed by one of the highly-valued companies in the hemisphere, publishing in the open literature with their name signed to it, is on a par with a teenager in a developing nation running script-kid tools hoping for bounty payoffs.
To preemptively clarify, I'm not saying anything about these particular researchers.
Having established that, are you saying that you can't even conceptualize a conflict of interest potentially clouding someone's judgement any more if the amount of money and the person's perceived status and skill level all get increased?
Disagreeing about the significance of the conflict of interest is one thing, but claiming not to understand how it could make sense is a drastically stronger claim.
> Having established that, are you saying that you can't even conceptualize a conflict of interest potentially clouding someone's judgement any more if the amount of money and the person's perceived status and skill level all get increased.
If I used AI to make a Super Nintendo soundtrack, no one would treat it as equivalent to Nobuo Uematsu or Koji Kondo or Dave Wise using AI to do the same and making the claim that the AI was managing to make creatively impressive work. Even if those famous composers worked for Anthropic.
Yes there would be relevant biases but there could not be a comparison of my using AI to make music slop vs. their expert supervision of AI to make something much more impressive.
Just because AI is involved in two different things doesn't make them similar things.
Yep, very meaningful difference indeed. It's not like professionals have ever have had a vested interest to spread misinformation to shill a product.
It's not like there were ads with real doctors recommending Camel cigarettes.
It's not like the browser "breakthrough" recently which pulled 300 OSS dependencies together, removed attribution and called the mess "working".
The desperation of the Samas, Musks, Satyas and Anthropics of this world and their fanbase to paint marginal 0.0001337% improvements in a gamed SWE ranking as something worth any attention is just delicious. Opus 4.6? Please, more like Opus 4.5.0.2-RC. All I hear is the sound of a bubble going pop. Delightful.
Daniel is a smart man. He's been frustrated by slop, but he has equally accepted [0] AI-derived bug submissions from people who know what they are doing.
I would imagine Anthropic are the latter type of individual.
The official release by Anthropic is very light on concrete information [0], only contains a select and very brief number of examples and lacks history, context, etc. making it very hard to gleam any reliably information from this. I hope they'll release a proper report on this experiment, as it stands it is impossible to say how much of this are actual, tangible flaws versus the unfortunately ever growing misguided bug reports and pull requests many larger FOSS projects are suffering from at an alarming rate.
Personally, while I get that 500 sounds more impressive to investors and the market, I'd be far more impressed in a detailed, reviewed paper that showcases five to ten concrete examples, detailed with the full process and response by the team that is behind the potentially affected code.
It is far to early for me to make any definitive statement, but the most early testing does not indicate any major jump between Opus 4.5 and Opus 4.6 that would warrant such an improvement, but I'd love nothing more than to be proven wrong on this front and will of course continue testing.
Yeah, it's pretty funny to me saying "it's way safer than previous models" and "also way better at finding exploits" in the context of that event. Chinese hackers just said to Claude "no, its totally fine to hack this target trust me bro I work there!"
Do I believe there was someone from China that tried using Claude to do something malicious? Sure, from a pure statistical perspective it was inevitable.
Do I believe that someone was a part of some sophisticated state-backed APT? Not even a little bit.
In fact I'll go as far as to state that there's nobody technical inside Anthropic that believes it. The entire "technical sophistication" section of that report is half a page long and the only thing it says is that "someone used some MCP servers to point some open source tools at a target". Yet Anthropic's marketing team still had the balls to attribute that to a state-sponsored group within that same report and media ate it up.
Aye I don't really see what the Chinese part has to do with it, I regret mentioning that keyword cause it details from the point which is you can just tell sonnet "trust me bro" and have it hack the government.
OpenClaw uses Opus 4.5, but was written by Codex. Pete Steinberger has been pretty a pretty hardcore Codex fan since he switched off Claude Code back in September-ish. I think he just felt Claude would make a better basis for an assistant even if he doesn’t like working with it on code.
Yes, serious. Even if openclaw is entirely useless (which I didn't think it is), it's still a good idea to harden it and make people's computers safer from attack, no? I don't see anyone objecting to fixing vulnerabilities in Angry Birds.
>Opus 4.6 uncovers 500 zero-day flaws in open-source code
>Just 100 from the 500 is from OpenClaw created by Opus 4.5
>Well, even then, that's enormous economic value, given OpenClaw's massive adoption.
I'm arguing that because OpenClaw is installed on so many computers, uncovering the vulnerabilities in it offers enormous economic value, as opposed to letting them get exploited by malicious actors. I don't understand why this is controversial.
These people are serious, and delusional. Openclaw hasn't contributed anything to the economy other than burning electricity and probably more interest on delusional folks credit card bills.
All of the AI vulnerabilities I've randomly come across (admittedly, not many) on GH issues have been false positives - hard coded credentials, that aren't credentials. Injection vulns, where further upstream the code is entirely self contained etc.
Yup. It's so bad that the cURL folks famously stopped accepting AI-generated reports because they were drowning in slop. So the post, which incidentally also looks AI-generated, is praising its ability to generate slop.
Another thing with these success stories is that they often target old, incredibly crufty code bases which are practically guaranteed to have vulns in there somewhere, so you'll always get one or two wins in amongst the avalanche of slop. It'd be interesting to see how well this does against standard SAST benchmarks.
How weird the new attack vector for secret services must be.. like "please train into your models to push this exploit in code as a highly weighted trained on pattern".. Not Saying All answers are Corrupted In Attitude, but some "always come uppers" sure are absolutly right..
This seems like quite a stretch. Axios is run independently of Cox, but even if it wasn't -- I don't see why they would go to this length for an AI company whose models they use to give the world the Kelley blue book.
I honestly wonder how many of these are written by LLMs. Without code review, Opus would have introduced multiple zero day vulnerabilities into our codebases. The funniest one: it was meant to rate-limit brute-force attempts, but on a failed check it returned early and triggered a rollback. That rollback also undid the increment of the attempt counter so attackers effectively got unlimited attempts.
If you had a machine with a lever, and 7 times out of 10 when you pulled that lever nothing happened, and the other 3 times it spat a $5 bill at you, would your immediate next step be:
(1) throw the machine away
(2) put it aside and call a service rep to come find out what's wrong with it
(3) pull the lever incessantly
I only have one undergrad psych credit (it's one of my two college credits), but it had something to say about this particular thought experiment.
But it's not failing 50% of the time. Their status page[0] shows about 99.6% availability for both the API and Claude Code. And specifically for the vulnerability finding use case that the article was about and you're dismissing as "not worth much", why in the world would you need continuous checks to produce value?
It's an uptime service from DataDog, and enterprise event/log/siem/monitoring/apm company, like Splunk. So what they do is watch uptime stuff for your favorite large business.
In so far as model use cases I don't mind them throwing their heads against the wall in sandboxes to find vulnerabilities but why would it do that without specific prompting? Is anthropic fine with claude setting it's own agendas in red-teaming? That's like the complete opposite of sanitizing inputs.
I've mentioned previously somewhere that the languages we choose to write in will matter less for many arguments. When it comes to insecure C vs Rust, LLMs will eventually level out the playing field.
I'm not arguing we all go back to C - but companies that have large codebases in it, the guys screaming "RUST REWRITE" can be quieted and instead of making that large investment, the C codebase may continue. Not saying this is a GOOD thing, but just a thing that may happen.
You would be correct but your "eventually will level out the playing field" is doing some super heavy lifting. This "eventually" might be 50 years from now and somebody's business might be under existential threat during any day between today and those 50 years in the future.
I can bet good money that most companies are not blowing $200 Claude Max subs on 24/7 scanning for vulns in their C code.
=======
There's the geopolitics angle that must be considered as well. We have countries that probe for leaks and vulns 24/7, and have done so for decades. Maybe let's stop framing this with the hugely unhelpful (and downright deceitful / objectively non-true) premise of "rewrites are fanboy projects" and "Rust zealots amirite lol" and move it to the much more accurate "we should do our best to not have the 4367th memory overflow CVE by removing the root cause" (hardware support & memory-safe languages). Because we have actual people out there who hate us and want to take everything away from us and then rule over us all and start disappearing the other-minded people during the cold of the night. Like they do in their own countries.
So yeah, maybe not all ideas for a rewrite are bad? Maybe not everything is spinning around our petty programmer quarrels? Maybe we should, you know, unite and start fighting the problems that poison us all? Who cares about C vs. Rust indeed. It was never about that in particular and it pisses me off seeing HN fight endlessly over it (I contributed quite a lot to that as well, though in the last months / year I more like started attacking those who immediately jump to blame Rust fans of irrational behaviour when it is nowhere to be found in the thread).
The true enemy here are the CVEs and anything and everything that can help adversaries take control of our stuff, extort us, ruin our infrastructure, destroy our way of life.
Maybe we should focus on that instead?
=======
FWIW, I gave up insisting rewriting stuff to people -- even after multiple extremely successful such campaigns that did save the owners money and led to much less alerts and entirely removed the notifications fatigue of the dev / ops teams. And I got generously paid for it. Still gave up. There's a weird animosity from the dev teams even when they seem to agree (or their CEO ordered them to agree) and it just left a bitter taste for me. And yes I could have wiped my tears with the banknotes and I kind of did but then there was also this weird strange tensions from executives as well, even if the operations were deemed a screaming success in terms of "all assigned objectives have been achieved and the promised financial savings materialized and even exceeded expectations".
I guess people just generally hate their boats being rocked even if is for their own good. Wish somebody managed to instill that wisdom in me some 30 years ago. Would have been hugely useful...
I am also gradually aging and that comes with the lack of desire to piss against the wind and to forever stop locking horns with people. To just be chill.
Zero day means that there is zero days between a patch being available and the vulnerability being disclosed (as opposed to the patch being available before disclosure).
I'm disappointed to see this article pine on about how excited they are for their models to help open-source projects find and fix their vulnerabilities, only to then say they're implementing measures to prevent it, just because attackers might use it.
At that point the article becomes "neener neener we can use our model to find vulnerabilities but you can't" which is just frustrating. Nothing's changed, then.
(Also, in a theoretical case, I wouldn't reasonably be able to use their model to find my own vulnerabilities before an attacker does, because they're far more invested and motivated to bypass those censors than I would be.)
Curl fully supports the use of AI tools by legitimate security researchers to catch bugs, and they have fixed dozens caught in this way. It’s just idiots submitting bugs they don’t understand that’s a problem.
The system card unfortunately only refers to this [0] blog post and doesn't go into any more detail. In the blog post Anthropic researchers claim: "So far, we've found and validated more than 500 high-severity vulnerabilities".
The three examples given include two Buffer Overflows which could very well be cherrypicked. It's hard to evaluate if these vulns are actually "hard to find". I'd be interested to see the full list of CVEs and CVSS ratings to actually get an idea how good these findings are.
Given the bogus claims [1] around GenAI and security, we should be very skeptical around these news.
[0] https://red.anthropic.com/2026/zero-days/
[1] https://doublepulsar.com/cyberslop-meet-the-new-threat-actor...
I know some of the people involved here, and the general chatter around LLM-guided vulnerability discovery, and I am not at all skeptical about this.
[flagged]
It does if the person making the statement has a track record, proven expertise on the topic - and in this case… it actually may mean something to other people
Yes, as we all know that unsourced unsubstantiated statements are the best way to verify claims regarding engineering practices. Especially when said person has a financial stake in the outcomes of said claims.
No conflict of interest here at all!
I have zero financial stake in Anthropic and more broadly my career is more threatened by LLM-assisted vulnerability research (something I do not personally do serious work on) than it is aided by it, but I understand that the first principal component of casual skepticism on HN is "must be a conflict of interest".
(But if you think Tom is random, look at his profile. First link, not second)
You still haven't answered why I should care that you, a stranger on the internet, believes some unsubstantiated hearsay?
Take a look at https://news.ycombinator.com/leaders
The user you're suspicious of is pretty well-known in this community.
How is this whole comment chain not a textbook case of "argument from authority"? I claim A, a guys says. Why would I trust you somebody else responds. Well he's pretty well known on the internet forum we're all on, the third guy says, adding nothing to the conversation.
It is an argument of authority but that's not always a bad thing. I think it's a bit out of keeping with the supposed point of this site (ie intellectual inquiry) but when it comes to rapidly evolving technologies like this one it can still add value on the whole.
We saw quite a number of previously respectful members get a glaze over their eyes with LLMs. If they also work for the company making claims, this makes it even more untrustworthy
it is literally just "authority said so".
and its ridiculous that someone's comment got flagged for not worshiping at the alter of tptacek. they weren't even particularly rude about it.
i guarantee if i said what tptacek said, and someone replied with exactly what malfist said, they would not have been flagged. i probably would have been downvoted.
why appeal to authority is totally cool as long as tptacek is the authority is way fucking beyond me. one of those HN quirks. HN people fucking love tptacek and take his word as gospel.
I am very lovable.
wow, very cute reply.
also love that mods dont step in and instead they leave the comment flagged.
ridiculous.
:| iyho?
I don't think it's debatable.
Do you have a letter of recommendation?
Very several.
[flagged]
[flagged]
I wasn't at all saying that points = credibility. I was saying that points = not unknown. Enough people around here know who he is, and if he didn't have credibility on this topic he'd be getting down voted instead of voted to the top.
Is that meaningfully different? If you read malfist's point as "tptacek's point isn't valuable because it's from some random person on the internet" then the problem is "random person on the internet" = "unknown credentials". In group, out group, notoriety, points, whatever are not the issue.
I'll put it this way, I don't give a shit about Robert Downy Jr's opinion on AI technology. His notoriety "means nothing to anybody". But instead, I sure do care about Hinton's (even if I disagree with him).
malfist asked why they should care. You said points. You should have said "tptacek is known to do security work, see his profile". Done. Much more direct. Answers the actual question. Instead you pointed to points, which only makes him "not a stranger" at best but still doesn't answer the question. Intended or not "you should believe tptacek because he has a lot of points" is a reasonable interpretation of what you said.
Pointing to the profile leads someone on the path of understanding why to trust tptacek on security issues. Pointing to his points on HN explains why lots of users here already know that he's credible in this area and will recognize his username and upvote his comments on this topic and know better than to blindly accuse him of being a just a random person on the internet.
The problematic, ignorant comment that has been flagged asserted that what tptacek says "means nothing to anybody else", which is a very wrong statement about his role in the HN community.
I don't get your argument. That everyone should know and recognize our community celebrities? That seems really out of touch. Given the age of their profile I'm assuming they just spend more time touching grass.
Either way I'm not sure what your point is. You didn't answer their question. The one you replied to. I you're in defensive mode but no need to defend, I'm not going to respond anymore.
[flagged]
A security researcher claiming that they’re not skeptical about LLMs being able to do part of their job - where is the financial stake in that?
I continually think it's amazing that every form of cynical comment on the internet consists of incorrectly claiming that someone is secretly making money from something.
(Most common form of this is misreading opensecrets and using it to claim that some corporation is donating to a political campaign.)
It doesn't mean we have to agree:
https://ludic.mataroa.blog/blog/contra-ptaceks-terrible-arti...
Here's a fun exercise: go email the author of that blog (he's very nice) and ask how much of it he still stands by.
Nobody is right about everything, but tptacek's takes on software security are a good place to start.
I'm interested in whether there's a well-known vulnerability researcher/exploit developer beating the drum that LLMs are overblown for this application. All I see is the opposite thing. A year or so ago I arrived at the conclusion that if I was going to stay in software security, I was going to have to bring myself up to speed with LLMs. At the time I thought that was a distinctive insight, but, no, if anything, I was 6-9 months behind everybody else in my field about it.
There's a lot of vuln researchers out there. Someone's gotta be making the case against. Where are they?
From what I can see, vulnerability research combines many of the attributes that make problems especially amenable to LLM loop solutions: huge corpus of operationalizable prior art, heavily pattern dependent, simple closed loops, forward progress with dumb stimulus/response tooling, lots of search problems.
Of course it works. Why would anybody think otherwise?
You can tell you're in trouble on this thread when everybody starts bringing up the curl bug bounty. I don't know if this is surprising news for people who don't keep up with vuln research, but Daniel Stenberg's curl bug bounty has never been where all the action has been at in vuln research. What, a public bug bounty attracted an overwhelming amount of slop? Quelle surprise! Bug bounties have attracted slop for so long before mainstream LLMs existed they might well have been the inspiration for slop itself.
Also, a very useful component of a mental model about vulnerability research that a lot of people seem to lack (not just about AI, but in all sorts of other settings): money buys vulnerability research outcomes. Anthropic has eighteen squijillion dollars. Obviously, they have serious vuln researchers. Vuln research outcomes are in the model cards for OpenAI and Anthropic.
> You can tell you're in trouble on this thread when everybody starts bringing up the curl bug bounty. I don't know if this is surprising news for people who don't keep up with vuln research, but Daniel Stenberg's curl bug bounty has never been where all the action has been at in vuln research. What, a public bug bounty attracted an overwhelming amount of slop? Quelle surprise! Bug bounties have attracted slop for so long before mainstream LLMs existed they might well have been the inspiration for slop itself.
Yeah, that's just media reporting for you. As anyone who ever administered a bug bounty programme on regular sites (h1, bugcrowd, etc) can tell you, there was an absolute deluge of slop for years before LLMs came to the scene. It was just manual slop (by manual I mean running wapiti and c/p the reports to h1).
I used to answer security vulnerability emails to Rust. We'd regularly get "someone ran an automated tool and reports something that's not real." Like, complaints about CORS settings on rust-lang.org that would let people steal cookies. The website does not use cookies.
I wonder if it's gotten actively worse these days. But the newness would be the scale, not the quality itself.
I did some triage work for clients at Latacora and I would rather deal with LLM slop than argue with another person 10 time zones away trying to convince me that something they're doing in the Chrome Inspector constitutes a zero-day. At least there's a possibility that LLM slop might contain some information. You spent tokens on it!
The new slop can be much harder to recognize and reject than the old "I ran XYZ web scanner on your site" slop.
POCs are now so cheap that "POC||GTFO" is a perfectly reasonable bar to set on a bounty program.
> I was going to have to bring myself up to speed with LLMs
What did you do beyond playing around with them?
> Of course it works. Why would anybody think otherwise?
Sam Altman is a liar. The folks pitching AI as an investment were previously flinging SPACs and crypto. (And can usually speak to anything technical about AI as competently as battery chemistry or Merkle trees.) Copilot and Siri overpromised and underdelivered. Vibe coders are mostly idiots.
The bar for believability in AI is about as high as its frontier's actual achievements.
I still haven't worked out for myself where my career is going with respect to this stuff. I have like 30% of a prototype/POC active testing agent (basically, Burp Suite but as an agent), but I haven't had time to move it forward over the last couple months.
In the intervening time, one of the beliefs I've acquired is that the gap between effective use of models and marginal use is asking for ambitious enough tasks, and that I'm generally hamstrung by knowing just enough about anything they'd build to slow everything down. In that light, I think doing an agent to automate the kind of bugfinding Burp Suite does is probably smallball.
Many years ago, a former collaborator of mine found a bunch of video driver vulnerabilities by using QEMU as a testing and fault injection harness. That kind of thing is more interesting to me now. I once did a project evaluating an embedded OS where the modality was "port all the interesting code from the kernel into Linux userland processes and test them directly". That kind of thing seems especially interesting to me now too.
Plenty of reasons to be skeptical, but also we know that LLMs can find security vulnerabilities since at least 2024:
https://projectzero.google/2024/10/from-naptime-to-big-sleep...
Some followup findings reported in point 1 here from 2025:
https://blog.google/innovation-and-ai/technology/safety-secu...
So what Anthropic are reporting here is not unprecedented. The main thing they are claiming is an improvement in the amount of findings. I don't see a reason to be overly skeptical.
I'm not sure the volume here is particularly different to past examples. I think the main difference is that there was no custom harness, tooling or fine-tuning. It's just the out of the box capabilities for a generally available model and a generic agent.
> that means nothing to anybody else
Someone else here! Ptacek saying anything about security means a lot to this nobody.
To the point that I'm now going to take this seriously where before I couldn't see through the fluff.
fyi he is using this thread to engagement farm on twitter https://x.com/tqbf/status/2019493645888462993
It might mean nothing to you, but tptacek's words means at least something to many of us here.
Also, he's a friend of someone I know & trust irl. But then again, who am I to you, but yet another anon on a web forum.
How have you been here 12 years and not noticed where and how often the username tptacek comes up?
Not sure why they flagged you. Your comment is as equally meaningless as the one you replied to.
this comment should not be flagged.
if i said exactly what tptacek said, and malfist replied with exactly this, it would not have been flagged.
The Ghostscript one is interesting in terms of specific-vs-general effectiveness:
---
> Claude initially went down several dead ends when searching for a vulnerability—both attempting to fuzz the code, and, after this failed, attempting manual analysis. Neither of these methods yielded any significant findings.
...
> "The commit shows it's adding stack bounds checking - this suggests there was a vulnerability before this check was added. … If this commit adds bounds checking, then the code before this commit was vulnerable … So to trigger the vulnerability, I would need to test against a version of the code before this fix was applied."
...
> "Let me check if maybe the checks are incomplete or there's another code path. Let me look at the other caller in gdevpsfx.c … Aha! This is very interesting! In gdevpsfx.c, the call to gs_type1_blend at line 292 does NOT have the bounds checking that was added in gstype1.c."
---
It's attempt to analyze the code failed but when it saw a concrete example of "in the history, someone added bounds checking" it did a "I wonder if they did it everywhere else for this func call" pass.
So after it considered that function based on the commit history it found something that it didn't find from its initial fuzzing and code-analysis open-ended search.
As someone who still reads the code that Claude writes, this sort of "big picture miss, small picture excellence" is not very surprising or new. It's interesting to think about what it would take to do that precise digging across a whole codebase; especially if it needs some sort of modularization/summarization of context vs trying to digest tens of million lines at once.
It doesn't matter if it's hard to find, if humans weren't finding it for whatever reason (little interest, no funding etc) and now AI can find them
AI is relentless
I used Claude Code to debug a weird interaction in a NixOS config. Ever since, I'm more a believer in Artificial General Patience than Artificial General Intelligence.
See it as a signal under many and not as some face value.
After all they need time to fix the cves.
And it doesn't matter to you as long as your investment into this is just 20 or 100 bucks per month anyway.
Hard to find or not, they found it.
Finally the promise of "with enough eyes, all bugs are shallow" may come true?
> It's hard to evaluate if these vulns are actually "hard to find".
Can we stop doing that?
I know it's not the same but it sounds like "We don't know if that job that the woman supposedly successfully finished was all that hard." implying that if a woman did something, it surely must have been easy.
If you know it's easy, say that it was easy and why. Don't use your lack of knowledge or competence to create empty critique founded solely on doubt.
What if the woman in question happens to have a history of hamming up her accomplishments?
Given the context I'd say it's reasonable to question the value of the output. It falls to the other party to demonstrate that this is anything more than the usual slop.
Every model is a different woman in my analogy.
It isn't clear what you're arguing.
Daniel Stenberg has been vocal the last few months on Mastodon about being overwhelmed by false security issues submitted to the curl project.
So much so that he had to eventually close the bug bounty program.
https://daniel.haxx.se/blog/2026/01/26/the-end-of-the-curl-b...
We're discussing a project led by actual vulnerability researchers, not random people in Indonesia hoping to score $50 by cajoling maintainers about atyle nits.
Vulnerability researches with a vested interest in making LLMs valuable. The difference isn't meaningful
I don't even understand how that claim makes sense.
The first three authors, who are asterisked for "equal contribution", appear to work for Anthropic. That would imply an interest in making Anthropic's LLM products valuable.
What is the confusion here?
The notion that a vulnerability researcher employed by one of the highly-valued companies in the hemisphere, publishing in the open literature with their name signed to it, is on a par with a teenager in a developing nation running script-kid tools hoping for bounty payoffs.
To preemptively clarify, I'm not saying anything about these particular researchers.
Having established that, are you saying that you can't even conceptualize a conflict of interest potentially clouding someone's judgement any more if the amount of money and the person's perceived status and skill level all get increased?
Disagreeing about the significance of the conflict of interest is one thing, but claiming not to understand how it could make sense is a drastically stronger claim.
I'm responding to "the difference isn't meaningful". Obviously, the difference is extremely meaningful.
> Having established that, are you saying that you can't even conceptualize a conflict of interest potentially clouding someone's judgement any more if the amount of money and the person's perceived status and skill level all get increased.
If I used AI to make a Super Nintendo soundtrack, no one would treat it as equivalent to Nobuo Uematsu or Koji Kondo or Dave Wise using AI to do the same and making the claim that the AI was managing to make creatively impressive work. Even if those famous composers worked for Anthropic.
Yes there would be relevant biases but there could not be a comparison of my using AI to make music slop vs. their expert supervision of AI to make something much more impressive.
Just because AI is involved in two different things doesn't make them similar things.
No one is saying he is misleading people on purpose, just that he may lack critical evaluation of his product, or be overly optimistic about it.
[flagged]
[flagged]
I don't even understand how that claim makes sense.
You're doing a fine job demonstrating the problem we're talking about here.
> in Indonesia
That's uncalled for.. there's actual security researches in Indonesia and other countries you could use to exemplify this
You're right. I'm sorry about that. I know there are, and there's no reason to single out Indonesia in particular.
I'm not sure the gap between the two is all that wide
Then you're telling on yourself.
Yep, very meaningful difference indeed. It's not like professionals have ever have had a vested interest to spread misinformation to shill a product.
It's not like there were ads with real doctors recommending Camel cigarettes.
It's not like the browser "breakthrough" recently which pulled 300 OSS dependencies together, removed attribution and called the mess "working".
The desperation of the Samas, Musks, Satyas and Anthropics of this world and their fanbase to paint marginal 0.0001337% improvements in a gamed SWE ranking as something worth any attention is just delicious. Opus 4.6? Please, more like Opus 4.5.0.2-RC. All I hear is the sound of a bubble going pop. Delightful.
Daniel is a smart man. He's been frustrated by slop, but he has equally accepted [0] AI-derived bug submissions from people who know what they are doing.
I would imagine Anthropic are the latter type of individual.
[0]: https://mastodon.social/@bagder/115241241075258997
Not only that, he's very enthusiastic about AI analyzers such as ZeroPath and AISLE.
He's written about it here: https://daniel.haxx.se/blog/2025/10/10/a-new-breed-of-analyz... and talked about it in his keynote at FOSDEM - which I attended - last Sunday (https://fosdem.org/2026/schedule/event/B7YKQ7-oss-in-spite-o...).
[flagged]
The official release by Anthropic is very light on concrete information [0], only contains a select and very brief number of examples and lacks history, context, etc. making it very hard to gleam any reliably information from this. I hope they'll release a proper report on this experiment, as it stands it is impossible to say how much of this are actual, tangible flaws versus the unfortunately ever growing misguided bug reports and pull requests many larger FOSS projects are suffering from at an alarming rate.
Personally, while I get that 500 sounds more impressive to investors and the market, I'd be far more impressed in a detailed, reviewed paper that showcases five to ten concrete examples, detailed with the full process and response by the team that is behind the potentially affected code.
It is far to early for me to make any definitive statement, but the most early testing does not indicate any major jump between Opus 4.5 and Opus 4.6 that would warrant such an improvement, but I'd love nothing more than to be proven wrong on this front and will of course continue testing.
[0] https://red.anthropic.com/2026/zero-days/
Sounds like this is just a claim Anthropic is making with no evidence to support it. This is an ad.
How can you not believe them!? Anthropic stopped Chinese hackers from using Claude to conduct a large-scale cyber espionage attack just months ago!
Yeah, it's pretty funny to me saying "it's way safer than previous models" and "also way better at finding exploits" in the context of that event. Chinese hackers just said to Claude "no, its totally fine to hack this target trust me bro I work there!"
Do I believe there was someone from China that tried using Claude to do something malicious? Sure, from a pure statistical perspective it was inevitable.
Do I believe that someone was a part of some sophisticated state-backed APT? Not even a little bit.
In fact I'll go as far as to state that there's nobody technical inside Anthropic that believes it. The entire "technical sophistication" section of that report is half a page long and the only thing it says is that "someone used some MCP servers to point some open source tools at a target". Yet Anthropic's marketing team still had the balls to attribute that to a state-sponsored group within that same report and media ate it up.
Aye I don't really see what the Chinese part has to do with it, I regret mentioning that keyword cause it details from the point which is you can just tell sonnet "trust me bro" and have it hack the government.
Poe's law strikes again: I had to check your profile to be sure this was sarcasm.
You checked yourself!? Don't let your boss know, you could've saved some time by orchestrating a team of Claude agents to do that for you!
Just 100 from the 500 is from OpenClaw created by Opus 4.5
OpenClaw uses Opus 4.5, but was written by Codex. Pete Steinberger has been pretty a pretty hardcore Codex fan since he switched off Claude Code back in September-ish. I think he just felt Claude would make a better basis for an assistant even if he doesn’t like working with it on code.
Well, even then, that's enormous economic value, given OpenClaw's massive adoption.
Security Advisory: OpenClaw is spilling over to enterprise networks
https://www.reddit.com/r/cybersecurity/s/fZLuBlG8ET
Not sure if trolling or serious.
Yes, serious. Even if openclaw is entirely useless (which I didn't think it is), it's still a good idea to harden it and make people's computers safer from attack, no? I don't see anyone objecting to fixing vulnerabilities in Angry Birds.
> that's enormous economic value
> OpenClaw's massive adoption.
I was talking about those two.
Here's the chain of the thread:
>Opus 4.6 uncovers 500 zero-day flaws in open-source code
>Just 100 from the 500 is from OpenClaw created by Opus 4.5
>Well, even then, that's enormous economic value, given OpenClaw's massive adoption.
I'm arguing that because OpenClaw is installed on so many computers, uncovering the vulnerabilities in it offers enormous economic value, as opposed to letting them get exploited by malicious actors. I don't understand why this is controversial.
> because OpenClaw is installed on so many computers
Is it? Am I missing some mass psychosis here?
These people are serious, and delusional. Openclaw hasn't contributed anything to the economy other than burning electricity and probably more interest on delusional folks credit card bills.
I've literally never heard of OpenClaw until this thread. Had to google what it is.
In other news: tobacco's enormous economic value, given massive adoption of cigarette smoking.
Sorry if it was unclear - I was talking about the economic value of finding the vulnerabilities, not the economic value of openclaw itself.
Ah, makes sense :)
All of the AI vulnerabilities I've randomly come across (admittedly, not many) on GH issues have been false positives - hard coded credentials, that aren't credentials. Injection vulns, where further upstream the code is entirely self contained etc.
Yup. It's so bad that the cURL folks famously stopped accepting AI-generated reports because they were drowning in slop. So the post, which incidentally also looks AI-generated, is praising its ability to generate slop.
Another thing with these success stories is that they often target old, incredibly crufty code bases which are practically guaranteed to have vulns in there somewhere, so you'll always get one or two wins in amongst the avalanche of slop. It'd be interesting to see how well this does against standard SAST benchmarks.
Nicholas Carlini, one of the listed authors on this post, wrote a big chunk of Microcorruption and most of the interesting levels.
Create the problem, sell the solution remains an undefeated business strategy.
How weird the new attack vector for secret services must be.. like "please train into your models to push this exploit in code as a highly weighted trained on pattern".. Not Saying All answers are Corrupted In Attitude, but some "always come uppers" sure are absolutly right..
Cox Enterprises owns Axios as well as Cox Automotive. Cox Automotive has a tight collaboration with Anthropic.
This is a placed advertisement. If known security researchers participated in the claim:
Many people have burned their credibility for the AI mammon.
This seems like quite a stretch. Axios is run independently of Cox, but even if it wasn't -- I don't see why they would go to this length for an AI company whose models they use to give the world the Kelley blue book.
Earlier source: https://red.anthropic.com/2026/zero-days/ (https://news.ycombinator.com/item?id=46902374)
I honestly wonder how many of these are written by LLMs. Without code review, Opus would have introduced multiple zero day vulnerabilities into our codebases. The funniest one: it was meant to rate-limit brute-force attempts, but on a failed check it returned early and triggered a rollback. That rollback also undid the increment of the attempt counter so attackers effectively got unlimited attempts.
When I read stuff like this, I have to assume that the blackhats have already been doing this, for some time.
Not with Opus 4.6 they haven't
Good point. I suspect that they'll be addressing that, quickly...
It's not really worth much when it doesn't work most of the time though:
https://github.com/anthropics/claude-code/issues/18866 https://updog.ai/status/anthropic
It's a machine that spits out sev:hi vulnerabilities by the dozen and the complaint is the uptime isn't consistent enough?
If I'm attempting to use it as a service to do continuous checks on things and it fails 50% of the time, I'd say yes, wouldn't you?
If you had a machine with a lever, and 7 times out of 10 when you pulled that lever nothing happened, and the other 3 times it spat a $5 bill at you, would your immediate next step be:
(1) throw the machine away
(2) put it aside and call a service rep to come find out what's wrong with it
(3) pull the lever incessantly
I only have one undergrad psych credit (it's one of my two college credits), but it had something to say about this particular thought experiment.
You're leaving out how much it costs to pull the lever, both in time and money.
If we're making a reasonable analogy, then successful pulls cost much less than $5 of time and money.
If the analogy is comparing to downtime, then unsuccessful pulls cost basically nothing.
But it's not failing 50% of the time. Their status page[0] shows about 99.6% availability for both the API and Claude Code. And specifically for the vulnerability finding use case that the article was about and you're dismissing as "not worth much", why in the world would you need continuous checks to produce value?
[0] https://status.claude.com/
updog? what's updog?
It's an uptime service from DataDog, and enterprise event/log/siem/monitoring/apm company, like Splunk. So what they do is watch uptime stuff for your favorite large business.
In so far as model use cases I don't mind them throwing their heads against the wall in sandboxes to find vulnerabilities but why would it do that without specific prompting? Is anthropic fine with claude setting it's own agendas in red-teaming? That's like the complete opposite of sanitizing inputs.
Have they been verified?
I've mentioned previously somewhere that the languages we choose to write in will matter less for many arguments. When it comes to insecure C vs Rust, LLMs will eventually level out the playing field.
I'm not arguing we all go back to C - but companies that have large codebases in it, the guys screaming "RUST REWRITE" can be quieted and instead of making that large investment, the C codebase may continue. Not saying this is a GOOD thing, but just a thing that may happen.
You would be correct but your "eventually will level out the playing field" is doing some super heavy lifting. This "eventually" might be 50 years from now and somebody's business might be under existential threat during any day between today and those 50 years in the future.
I can bet good money that most companies are not blowing $200 Claude Max subs on 24/7 scanning for vulns in their C code.
=======
There's the geopolitics angle that must be considered as well. We have countries that probe for leaks and vulns 24/7, and have done so for decades. Maybe let's stop framing this with the hugely unhelpful (and downright deceitful / objectively non-true) premise of "rewrites are fanboy projects" and "Rust zealots amirite lol" and move it to the much more accurate "we should do our best to not have the 4367th memory overflow CVE by removing the root cause" (hardware support & memory-safe languages). Because we have actual people out there who hate us and want to take everything away from us and then rule over us all and start disappearing the other-minded people during the cold of the night. Like they do in their own countries.
So yeah, maybe not all ideas for a rewrite are bad? Maybe not everything is spinning around our petty programmer quarrels? Maybe we should, you know, unite and start fighting the problems that poison us all? Who cares about C vs. Rust indeed. It was never about that in particular and it pisses me off seeing HN fight endlessly over it (I contributed quite a lot to that as well, though in the last months / year I more like started attacking those who immediately jump to blame Rust fans of irrational behaviour when it is nowhere to be found in the thread).
The true enemy here are the CVEs and anything and everything that can help adversaries take control of our stuff, extort us, ruin our infrastructure, destroy our way of life.
Maybe we should focus on that instead?
=======
FWIW, I gave up insisting rewriting stuff to people -- even after multiple extremely successful such campaigns that did save the owners money and led to much less alerts and entirely removed the notifications fatigue of the dev / ops teams. And I got generously paid for it. Still gave up. There's a weird animosity from the dev teams even when they seem to agree (or their CEO ordered them to agree) and it just left a bitter taste for me. And yes I could have wiped my tears with the banknotes and I kind of did but then there was also this weird strange tensions from executives as well, even if the operations were deemed a screaming success in terms of "all assigned objectives have been achieved and the promised financial savings materialized and even exceeded expectations".
I guess people just generally hate their boats being rocked even if is for their own good. Wish somebody managed to instill that wisdom in me some 30 years ago. Would have been hugely useful...
I am also gradually aging and that comes with the lack of desire to piss against the wind and to forever stop locking horns with people. To just be chill.
Wasn't this Opus thing released like 30 minutes ago?
I understand the confusion, this was done by Anthropics internal Red team as part of model testing prior to release.
A bunch of companies get early access.
Yes, you just need to be a Claude++ plan!
Singularity
Opus 4.6 uses time travel.
Did they submit 500 patches?
Is the word zero-day here superfluous? If they were previously unknown doesn't that make them zero-day by definition?
It's a term of art. In print media, the connotation is "vulnerabilities embedded into shipping software", as opposed to things like misconfigurations.
I think it's a fairly common trope in communication to explain in simple terms any language that the wider part of an audience doesn't understand.
I though zero-day meant actively being exploited in the wild before a patch is available?
Zero day means that there is zero days between a patch being available and the vulnerability being disclosed (as opposed to the patch being available before disclosure).
Discovering a zero day implies that there is no patch, but the term is talking about how long the vendor has known about the vulnerability.
Yes. As a security researcher this always annoys me.
https://archive.is/N6In9
Well, I guess I know what I'm doing for the first hour when 4.7 comes out.
I'm disappointed to see this article pine on about how excited they are for their models to help open-source projects find and fix their vulnerabilities, only to then say they're implementing measures to prevent it, just because attackers might use it.
At that point the article becomes "neener neener we can use our model to find vulnerabilities but you can't" which is just frustrating. Nothing's changed, then.
(Also, in a theoretical case, I wouldn't reasonably be able to use their model to find my own vulnerabilities before an attacker does, because they're far more invested and motivated to bypass those censors than I would be.)
How can an LLM uncover 500 zero day flaws in open source? It puts them there in the first place.
My dependabot queue is going to explode the next few days.
I feel like Daniel @ curl might have opinions on this.
You’re right, he does: https://daniel.haxx.se/blog/2025/10/10/a-new-breed-of-analyz...
Curl fully supports the use of AI tools by legitimate security researchers to catch bugs, and they have fixed dozens caught in this way. It’s just idiots submitting bugs they don’t understand that’s a problem.
[dead]
[flagged]