I don't think anybody actually watches videos any more, so here's MWT's core point -

The flagship and lead vuln in the research is a BSD vuln, it cost $20k to discover with Mythos. Anthropic only reached a crash, and the vuln class in 99%+ cases never reaches RCE, just crashes.

So.. cool.. you spent $20k of VC money to find a crash as the flagship vuln. But... uhm... that isn't the end of the world.

The proof is going to be if any of the open source vulns turn out to be important. So far:

So here's the other thing that bothers me about all this. Regardless of the eventual results, this thing they're doing is *incredibly* resource intensive. They routinely spend billions of dollars on training these models, and billions more on operating them. It's not simple to parse out what fraction of that is directly attributable to the massive scale vuln finder/fabricator. But for the sake of argument lets just pick a plausible number, and call it 50-100 million dollars.

What could we have gotten for 50-100 million dollars of sponsorship for security audits? Prior to this, the largest single investment into FOSS security I'm aware of was the 2015 audit of openssl, after the heartbleed incident. It's hard to find precise costs for that, but I found a few sources estimating 1.2 million dollars, and that is arguably the most security critical piece of software in the world.

But suddenly there's 100x more resources available to do this work, now that producing the artifact can be done with stolen labor? Now that they can externalize the cost of false positives onto the already mostly unpaid maintainers of these projects? Even if their claims are true, which we have no reason to believe and very good reason not to, it's still a travesty