upvote

points

by solenoid093722 hours ago |
comments
upvoteby Amekedl22 hours ago|
[-]
Where is the link to the advisories then? :/
reply
upvoteby skybrian22 hours ago|
parent|
next
[-]
As the article explains, they mostly haven't been disclosed, because they're not fixed. They're giving people 90 days, or 45 after a patch is made.
reply
upvoteby gck121 hours ago|
parent|
[-]
> haven't been disclosed, because they're not fixed.

That's convinient.

But wait, don't they have this amazing AI that can fix all the issues itself with a single /goal command? What's the holdup?

reply
upvoteby solenoid093721 hours ago|
parent|
next
[-]
You should really read the article, every question asked so far in this thread has been very clearly answered.

I miss the days when HN would RTFA.

reply
upvoteby dyauspitr12 hours ago|
parent|
next
[-]
He doesn’t want to read the article. He just wants to LLM bad.
reply
upvoteby Amekedl17 hours ago|
parent|
prev|
[-]
[flagged]
reply
upvoteby TOMDM17 hours ago|
parent|
prev|
[-]
From the article

> As we noted above, the bottleneck in fixing bugs like these is the human capacity to triage, report, and design and deploy patches for them.

...

> To begin, we’ve released Claude Security in public beta for Claude Enterprise customers. It’s a tool that helps teams scan their codebases for vulnerabilities, and which can generate proposed fixes for them. In the three weeks since launch, Claude Opus 4.7 has been used to patch over 2,100 vulnerabilities. (This is faster than the open-source patching described above in large part because enterprises are fixing their own code, whereas open-source fixes usually require volunteer maintainers who work through coordinated disclosure.)

Your critique of the article would likely land much better if you engaged with it.

reply
upvoteby solenoid093721 hours ago|
parent|
prev|
[-]
> The software industry’s longstanding convention is to disclose new vulnerabilities 90 days after they’re discovered (or, if a patch is created before the 90 days is up, around 45 days after the patch becomes available). This allows time for end users to update their software before a vulnerability can be exploited by attackers. Our own Coordinated Vulnerability Disclosure policy takes this approach.

> However, this means that disclosed vulnerabilities are a lagging indicator of the accelerating frontier of AI models’ cyber capabilities: we’re not yet at the point where we can fully detail our partners’ findings with Mythos Preview without putting end users at risk. Instead, we provide illustrative examples of the model’s performance, along with aggregate statistics on our progress to date. Once patches for the vulnerabilities that Mythos Preview has discovered are widely deployed, we’ll provide much more detail about what we’ve learned.

reply