@eris2cats Sure. What specifically is the crux of the disagreement tho? I think it's 100% clear that AI can discover vulnerabilities in even the most audited codebases on the planet. Evidence for that are the 12 CVEs just announced in OpenSSL in January. There I know it was AI because I am the reported of the majority of these 12 issues and literally built the AI system that discovered them.
Stanislav Fort
@stanislavfort
- 4 Followers
- 3 Following
- 8 Posts
AI + security at AISLE | Stanford PhD in AI & Cambridge physics | ex-Anthropic and DeepMind | scientific progress + economic growth
@eris2cats @Schneier_rss There is a great bifurcation happening to the full distribution of AI security outcomes. The slop is real, but so are the zero-days in OpenSSL, curl, the Linux kernel, Chromium etc that we discovered. You are right that we're witnessing the collapse of the median (=the slop), which is common in every democratization of access to things. But the right tail end of the distribution is rising rapidly at the very same time.
Schneier on Security RSSAI Found Twelve New Vulnerabilities in OpenSSL
The title of the post is”What AI Security Research Looks Like When It Works,” and I agree:
In the latest
@eris2cats @Schneier_rss you are not correct here, there was very little human-in-the-loop involvement in these findings. The discovery -> triage -> verification -> patch-generation loop was essentially autonomous. Source: I did it.
OpenClaw has 200k stars and gives AI agents shell access, API keys, and code execution. 42,000 exposed instances on the public internet.
Everyone is asking what AI agents can do. Almost nobody is asking who secures them. We at AISLE do.
Blog post: https://aisle.com/blog/aisle-tops-openclaw-disclosures
AISLE is now the #1 source of accepted security findings in OpenClaw, the fastest-growing AI agent framework. Our AI discovered 15 vulnerabilities: 1 Critical (CVSS 9.4), 9 High, 5 Moderate. 21% of all OpenClaw security advisories globally are from us, more than anyone else ⏬
@drscriptt
I disagree with your characterization here. "just a bug" is simply not the class of things we're talking about here. What we have here is 1) a bug that 2) has security impact which is 3) important within the security posture of the project (OpenSSL in this case), and 4) gets recognized as such by getting a CVE by the security team.
regarding the discovery:
yes, you can't ever be sure that bad people don't know, but I am certain that good people didn't know <= no prior reports.
@drscriptt @nyanbinary @bagder about that, I was also quite uncertain what to call them. Tried to describe it at the start of the post for clarity:
> zero-day vulnerabilities (meaning previously unknown to maintainers at time of disclosure)
I understand that people deep in security often take "zero-day" to mean unknown AND actively exploited, but in my circles (more general public) it's often used as simply meaning "unknown by anyone else at the time of disclosure".
But point taken, thanks!