Hey all — authors of Vault Fault here (I’m Shahar, CEO at Cyata), really appreciate all the thoughtful comments.
Just to clarify - all the vulnerabilities were found manually by a very real human, Yarden Porat.
The writeup was mostly human-written as well, just aimed at a broader audience - which explains the verbosity. We did work with a content writer to help shape the structure and flow, and I totally get that some parts read a bit “sheeny.” Feedback noted and appreciated - and yep, there’s more coming :)
btw likely missed with the direct link - we also found pre-auth RCE in CyberArk Conjur - cyata.ai/vault-fault
Your writeup was excellent. There's no more ubiquitous or lower signal comment here these days than "I think this was written by AI." There is no piece of English writing one can link to on HN without someone spamming us with a sentence or that form.
Well written? AI. Poorly written? AI. Has a non-sequitor? AI. No non-sequitors? AI. Includes an em-dash (added automatically by Word for almost two decades)? AI. No em-dashes? AI.
Eventually, hopefully, dang will declare "I think this was written by AI" to not be a productive topic for comments, just like commenters are already encouraged to engage with the strongest and best form of the ideas presented instead of attacking the most easily taken down strawman interpretation of them, but until then we all have to scroll through it on every post, no matter how well written it is, as yours is.
Ideally all the comments about presentation rather than content would be grouped into their own category, so the ones with more substance stand out. But I don't know how you'd do that other with an LLM :-)
I disagree, the write up is overly verbose. If AI helped inflate it, that's worthy of conversation.
Rhetorical faults are consistently discussed when security disclosures and notifications come up. How egotistical are the finders? Does it deserve a microsite? Does it deserve a logo? Similarly, why is the vendor response so vague? Why does it seem so weasel-like? Did they lie in this one place...?
The problem with AI writing is that it doesn't have a voice, is not typically good, and interferes with the ethos and pathos the author is trying to develop. It's verbose, and typically telegraphs a lack of editing or real review.
That humans still care about these things isn't a problem for dang to sort out. It's something that authors should continue to think about carefully before putting out automatically-generated content under their name.
"Does it deserve a logo and a microsite" is one of those debates that happens on message boards that is otherwise pretty alien to the practice of vulnerability research.
If these are the problems (or, your problems), then it seems that it doesn't matter if AI wrote it or not -- just that the writing isn't "good".