it really does have that AI writing style, and these are the sorts of bugs I imagine an AI could have found...I wonder if that's what they did (though they claim it was all manual source code inspection).
From reading it and mostly from the introduction, it felt like they rolled up their sleeves and really dug into the code. This was refreshing versus the vibe-coding zeitgeist.
I would be curious what AI tools assisted in this and also what tools/models could re-discover them on the unpatched code base now that we know they exist.
I can imagine they could have used AI to analyze, describe and map out what exactly happens in the code. Then again, it's Go, following the flow of code and what exactly is being checked is pretty straightforward (see e.g. https://github.com/hashicorp/vault/blob/main/vault/request_h... which was mentioned in the article)
> .I wonder if that's what they did (though they claim it was all manual source code inspection).
Give me one reason why they would do it by hand if they can automate is as much as possible. Vulnerability research is an area without any guarantees, you can spend months looking for bugs and find nothing. These guys are not stupid, they used LLMs trying to find whatever they could, they probably explored more blind alleys than we will know, and then got very good results. Many other companies are doing the same.
it really does have that AI writing style, and these are the sorts of bugs I imagine an AI could have found...I wonder if that's what they did (though they claim it was all manual source code inspection).
Having the blog post explaining the findings written - or aided - by an AI doesn't necessarily mean that the findings themselves were found using AI.
Edit: even if the TLD they use is .ai and they heavily promote themselves as revolutionary AI security firm yadda yadda yadda
From reading it and mostly from the introduction, it felt like they rolled up their sleeves and really dug into the code. This was refreshing versus the vibe-coding zeitgeist.
I would be curious what AI tools assisted in this and also what tools/models could re-discover them on the unpatched code base now that we know they exist.
I can imagine they could have used AI to analyze, describe and map out what exactly happens in the code. Then again, it's Go, following the flow of code and what exactly is being checked is pretty straightforward (see e.g. https://github.com/hashicorp/vault/blob/main/vault/request_h... which was mentioned in the article)
> .I wonder if that's what they did (though they claim it was all manual source code inspection).
Give me one reason why they would do it by hand if they can automate is as much as possible. Vulnerability research is an area without any guarantees, you can spend months looking for bugs and find nothing. These guys are not stupid, they used LLMs trying to find whatever they could, they probably explored more blind alleys than we will know, and then got very good results. Many other companies are doing the same.