[bri3d]

Yes, once we reach the broader conversation (I actually didn't initially grasp that the OP post was a sub-article under another one on LWN which then linked out to yet another article called "Vulnerability Research is Cooked"), I completely agree.

Modern LLMs are _exceptionally_ good at developing X-marks-the-spot vulnerabilities into working software; I fed an old RSA validation mistake in an ECU to someone in a GitHub comment the other day and they had Claude build them a working firmware reflashing tool within a matter of hours.

I think that the market for "using LLMs to triage bug-report inputs by asking it to produce working PoCs" is incredibly under-leveraged so far and if I were more entrepreneurial-minded at this junction I would even consider a company in this space. I'm a little surprised that both this article and most of the discussion under it hasn't gone that direction yet.

[tptacek]

(I wrote the "Cooked" article, I'm not entirely sure why people are commenting on it on LWN.)

[Chu4eeno]

according to anthropic's red team not even the secret claude stuff they're holding back is able to weaponize vulnerabilities without simplifying (disabling mitigations etc).

so we might be lucky that the LLMs are able to find the vulnerabilities before they are able to weaponize them, giving defense a time window.