speckxFeb 5

Opus 4.6 uncovers 500 zero-day flaws in open-source code

https://www.axios.com/2026/02/05/anthropic-claude-opus-46-software-hunting

Exclusive: Anthropic's new model is a pro at finding security flaws

The AI company sees the model's advancements as a major win for cyber defenders in the race against adversarial AI.

Axios
Show thread_tk_Feb 5

The system card unfortunately only refers to this [0] blog post and doesn't go into any more detail. In the blog post Anthropic researchers claim: "So far, we've found and validated more than 500 high-severity vulnerabilities".

The three examples given include two Buffer Overflows which could very well be cherrypicked. It's hard to evaluate if these vulns are actually "hard to find". I'd be interested to see the full list of CVEs and CVSS ratings to actually get an idea how good these findings are.

Given the bogus claims [1] around GenAI and security, we should be very skeptical around these news.

[0] https://red.anthropic.com/2026/zero-days/

[1] https://doublepulsar.com/cyberslop-meet-the-new-threat-actor...

0-Days \ red.anthropic.com

Show threadtptacekFeb 5
I know some of the people involved here, and the general chatter around LLM-guided vulnerability discovery, and I am not at all skeptical about this.
Show threadmalfistFeb 5
[flagged]
Show threadcatoc
It does if the person making the statement has a track record, proven expertise on the topic - and in this case… it actually may mean something to other people
Feb 5 at 7:56pmWeb
Show threadshimmanFeb 5

Yes, as we all know that unsourced unsubstantiated statements are the best way to verify claims regarding engineering practices. Especially when said person has a financial stake in the outcomes of said claims.

No conflict of interest here at all!

Show threadtptacekFeb 5
I have zero financial stake in Anthropic and more broadly my career is more threatened by LLM-assisted vulnerability research (something I do not personally do serious work on) than it is aided by it, but I understand that the first principal component of casual skepticism on HN is "must be a conflict of interest".
Show threadmalfistFeb 5
You still haven't answered why I should care that you, a stranger on the internet, believes some unsubstantiated hearsay?
Show threadwtallisFeb 5

Take a look at https://news.ycombinator.com/leaders

The user you're suspicious of is pretty well-known in this community.

Leaders | Hacker News

Show threaddelusionalFeb 5
How is this whole comment chain not a textbook case of "argument from authority"? I claim A, a guys says. Why would I trust you somebody else responds. Well he's pretty well known on the internet forum we're all on, the third guy says, adding nothing to the conversation.
Show threadhiccup_socksFeb 5

it is literally just "authority said so".

and its ridiculous that someone's comment got flagged for not worshiping at the alter of tptacek. they weren't even particularly rude about it.

i guarantee if i said what tptacek said, and someone replied with exactly what malfist said, they would not have been flagged. i probably would have been downvoted.

why appeal to authority is totally cool as long as tptacek is the authority is way fucking beyond me. one of those HN quirks. HN people fucking love tptacek and take his word as gospel.

Show threadtptacekFeb 6
I am very lovable.
Show threadgnabgibFeb 6
:| iyho?
Show threadtptacekFeb 6
I don't think it's debatable.
Show threadeconFeb 6
Do you have a letter of recommendation?
Show threadtptacekFeb 6
Very several.
Show threaddvfjsdhgfvFeb 5

It doesn't mean we have to agree:

https://ludic.mataroa.blog/blog/contra-ptaceks-terrible-arti...

Contra Ptacek's Terrible Article On AI — Ludicity

Show threadtptacekFeb 5
Here's a fun exercise: go email the author of that blog (he's very nice) and ask how much of it he still stands by.