I'm an OSS developer and I've received three "CWE" alerts in the last two weeks. While they were all valid, they were for very trivial things like "this debug logfile could overwrite a file if it were a symlink" and "if a user is able to put OSC screen codes into the Git output they could write arbitrary data to the screen"

These AI models are making *everything* sound like an exploit. Not sure if this is good for the ecosystem. It makes me question everything that comes in more carefully. Is this a real exploit, or someone farming for karma to claim "I opened 39 CWEs in the last week. Hire my 'security' company to audit your code."

This is not what I heard from folks who worked directly with mythos. I was told that the vulnerabilities it generated were largely real and meaningful.