Actually, Mudge of the l0pht (and later DARPA) once famously made the claim that all bugs are security issues waiting to be exploited in some way (I’m probably paraphrasing). I kind of agree. Although, the bugs on this dump are indeed mostly pretty lame, which is exactly what I’ve seen you get a lot of when you let an llm go bug hunting with no human vetting and confirmation in the loop.
It’s possible/likely that whomever is running this experiment is keeping the non slop bugs to themselves. It’s probably what I’d do.
Such claims can both be true and pointless. For those of us who have to decide what actions to take, there is a point in differentiating between bugs and vulnerabilities, and breathlessly proclaiming "we found a vulnerability but we don't have an exploitation vector or proof that there's a meaningful security consequence" is annoying and likely to get the proclaimer ignored in the future.
all vulnerabilities are just bugs.
Vulns are a subset of bugs. What the above commenter is saying, is that some bugs don't belong to this category.
But not the other way around, which makes them different.
Actually, Mudge of the l0pht (and later DARPA) once famously made the claim that all bugs are security issues waiting to be exploited in some way (I’m probably paraphrasing). I kind of agree. Although, the bugs on this dump are indeed mostly pretty lame, which is exactly what I’ve seen you get a lot of when you let an llm go bug hunting with no human vetting and confirmation in the loop.
It’s possible/likely that whomever is running this experiment is keeping the non slop bugs to themselves. It’s probably what I’d do.
Such claims can both be true and pointless. For those of us who have to decide what actions to take, there is a point in differentiating between bugs and vulnerabilities, and breathlessly proclaiming "we found a vulnerability but we don't have an exploitation vector or proof that there's a meaningful security consequence" is annoying and likely to get the proclaimer ignored in the future.