upvote

points

by Filligree1 hours ago |
comments
upvoteby mccr81 hours ago|
next
[-]
The flood of reports that open source projects like curl, Linux and Chromium are getting are presumably due to public models like Open 4.6 that released earlier this year, and not models with limited availability.
reply
upvoteby amarcheschi1 hours ago|
prev|
next
[-]
How many months till they release a better model than mythos to general audience?

Gpt 2 wasn't released fully because OpenAI deemed it too dangerous, rings a bell? https://openai.com/index/better-language-models/#sample1

reply
upvoteby Hizonner1 hours ago|
parent|
[-]
A few months of restricting access to people they think will actually fix problems is a big deal. Obviously only an idiot would think it could or should be kept under wraps forever.
reply
upvoteby 1 hours ago|
prev|
next
[-]
deleted
reply
upvoteby kordlessagain1 hours ago|
prev|
next
[-]
Those vulnerabilities were found by open models as well.
reply
upvoteby abustamam56 minutes ago|
parent|
next
[-]
Partly true. I think the consensus was it wasn't comparable because Mythos swept the entire codebase and found the vulnerabilities, whereas the open models were told where to look for said vulnerabilities.

https://news.ycombinator.com/item?id=47732337

reply
upvoteby mccr858 minutes ago|
parent|
prev|
[-]
Not really. The models were pointed specifically at the location of the vulnerability and given some extra guidance. That's an easier problem than simply being pointed at the entire code base.
reply
upvoteby embedding-shape1 hours ago|
prev|
[-]
> judging by the flood of vulnerability reports seen by e.g. Daniel Stenberg

Maybe I've missed anything, but what Stenberg been complaining about so far been the wave of sloppy reports, seemingly reported by/mainly by AIs. Has that ratio somehow changed recently to mainly be good reports with real vulnerabilities?

reply
upvoteby rhdunn1 hours ago|
parent|
next
[-]
Some relevant links:

[1] https://www.npr.org/2026/04/11/nx-s1-5778508/anthropic-proje...

> Improvement in AI models' capabilities became noticeable early 2026, said Daniel Stenberg.

> He estimates that about 1 in 10 of the reports are security vulnerabilities, the rest are mostly real bugs. Just three months into 2026, the cURL team Stenberg leads has found and fixed more vulnerabilities than each of the previous two years.

[2] https://www.linkedin.com/posts/danielstenberg_curl-activity-...

> The new #curl, AI, security reality shown with some graphs. Part of my work-in-progress presentation at foss-north on April 28.

reply
upvoteby StrauXX1 hours ago|
parent|
prev|
next
[-]
He has changed his opinion completely. Yes, the ratio has turned.
reply
upvoteby depr1 hours ago|
parent|
prev|
[-]
Yes:

> The challenge with AI in open source security has transitioned from an AI slop tsunami into more of a ... plain security report tsunami. Less slop but lots of reports. Many of them really good.

> I'm spending hours per day on this now. It's intense.

https://mastodon.social/@bagder/116336957584445742

reply