When I was a PhD student, I attended a talk by the late Robin Milner where he said two things that have stuck with me.

The first, I repeat quite often. He argued that credit for an invention did not belong to the first person to invent something but to the first person to explain it well enough that no one needed to invent it again. His first historical example was Leibniz publishing calculus and then Newton claiming he invented it first: it didn’t matter if he did or not, he failed to explain it to anyone and so the fact that Leibniz needed to independently invent it was Newton’s failure.

The second thing, which is a lot more relevant now than at the time, was that AI should stand for Augmented Intelligence not Artificial Intelligence if you want to build things that are actually useful. Striving to replace human intelligence is not a useful pursuit because there is an abundant supply of humans and you can improve the supply of intelligent humans by removing food poverty, improving access to education, and eliminating other barriers that prevent vast numbers of intelligent humans from being able to devote time to using their intelligence. The valuable tools are ones that do things humans are bad at. Pocket calculators changed the world because being able to add ten-digit numbers together orders of magnitude faster allowed humans to use their intelligence for things that were not the tedious, repetitive, tasks (and get higher accuracy for those tasks). If you want to change the world, build tools that allow humans to do more by offloading things humans are bad at and allowing them to spend more time on things humans are good at.

Today we’ve expanded the scope and rewards for the Chrome VRP V8 sandbox bypass rewards to include any demonstrated memory corruption outside the sandbox. (https://g.co/chrome/vrp#v8-sandbox-bypass-rewards)

The V8 sandbox is not yet considered a security boundary, but this expansion is one of many precursors to get there.
We do hope that if you’re doing browser or V8 research, you’ll start playing in our sandbox!

Also we have opened previous V8 sandbox submissions under the previous scope for early public disclosure in our bug tracker. This is a treasure trove of information for learning about know bypass techniques. (https://issues.chromium.org/hotlists/4802478)

Another big step towards becoming a security boundary: today we’re expanding the VRP for the V8 Sandbox

* No longer limited to d8

* Rewards for controlled writes are increased to $20k

* Any memory corruption outside the sandbox is now in scope

See https://bughunters.google.com/about/rules/chrome-friends/5745167867576320/chrome-vulnerability-reward-program-rules#v8-sandbox-bypass-rewards for more details.

Happy hacking!

I flat-out collapsed before the 30-second mark, just completely took my knees out

https://www.youtube.com/watch?v=cD3QlR98--A

via Jo Walton on Bsky

Project Zero blog:
LLMs find 0days now! 👀

And: our fuzzer setup did not reproduce it!

https://googleprojectzero.blogspot.com/2024/10/from-naptime-to-big-sleep.html

#Bigsleep #LLM #Security #ProjectZero #GoogleDeepmind