[pingou]

Or they could check if the source is open source and available on the internet, and if yes refuse to analyse it if the person who request the analysis isn't affiliated to the project.

That will still leave closed source software vulnerable, but I suspect it is somewhat rare for hackers to have the source of the thing they are targeting, when it is closed source.

[solenoid0937]

How can they tell if the software is closed or open source?

They would have to maintain a server side hashmap of every open source file in existence

And it'd be trivial to spoof. Just change a few lines and now it doesn't know if it's closed or open

[pingou]

Of course just having the hash of the file wouldn't work, they would have to do something more complicated, a kind of perceptual hash. It's not easy, but I think it is doable.

But then I suspect lots of parts in a closed source project are similar to open source code, so you can't just refuse to analyze any code that contains open source parts, and an attacker could put a few open source files into "fake" closed source code, and presumably the llm would not flag them because the ratio open/closed source code is good. But that would raise the costs for attackers.