Mastodawn

so it cost anthropic $20k to find this openbsd crash bug which amounts to putting a negative integer in a tcp field where a negative integer was not expected by the c code which does some cavalier int cast bullshit, ie. a vuln which is totally fuzzable, and quite certainly would have been found by the fuzzers of the 2010s had anyone cared to burn that much compute on fuzzing openbsd.

The difference today is not that anybody suddenly cares about investing that much in openbsd (is the build server still a donated machine running in Theo's basement?), but that openbsd's reputation for security makes it really good marketing if you can find a bug, any bug, it doesn't matter; and that marketing value is what makes it worth spending $20k on fuzzing.

Show thread

Hailey 1d ago

I don't mean to throw shade at openbsd here, it's a scrappy project running on the smell of an oily rag and I have a lot of respect for that kind of scrappy resourcefulness, but it's key to understanding why the most salient factor here is big tech deciding to throw lots of money at it. That this is the best they got for $20k really speaks to why nobody bothered previously.

Show thread

trademark

@hailey This was not the "best" bug found, it was the *oldest*. 20k is small compared to the yearly income of the project, (around 500k CAD in 2025). They do have an ongoing fuzzing project which found a number of bugs, but not this particular one. They don't seem to publish how much money they did spend on fuzzing, but they certainly can afford 20k if they feel the need.

This is in fact an impressive advance in the capabilities of Claude.