You can't bug fix your way out of the vulnpocalypse
20 points by freddyb
20 points by freddyb
(I work for Anthropic.)
I want to say that I very much appreciate the author putting that right up front.
This is the advice OpenBSD gave in 1996.
Of course this advice — when you find a bug, don't just fix that bug, fix that entire class of bugs, preferably by fixing what made it possible — is very old, and has always applied to all bugs, not just security bugs.
Back in 2021 I wrote this https://blog.mempko.com/bugs-faster-than-the-speed-of-thought/
and was quoted in wired about exploits in this article
https://www.wired.com/story/ai-write-code-like-humans-bugs/
Later it was found by Anthropic that you need a small amount of samples to poison a large model https://www.anthropic.com/research/small-samples-poison
We are in fun times...
Is it really a vulnpocalypse though?
Do you have a reason to think it isn't? Numerous high profile projects are reporting an impact on their projects. So anecdotally is seems as if it might be.
I don't think there is that large a jump compared to, say, 1 year ago.
You are definitely wrong, based on data from most open source projects I work on or interact with.
Yup. Totally wrong. We didn't put this out for the lols.. https://hacks.mozilla.org/2026/05/behind-the-scenes-hardening-firefox/
It's part and parcel of Anthropic's "the sky is falling because of AI" narrative. It conveniently ignores LLM's contributions to the generation of code that has known vulnerabilities, and exaggerates LLMs abilities to find vulnerabilities. To be clear, I know machine learning is able to find vulnerabilities, but I disagree with the framing of "apocalypse." The security field has been using machine learning to find vulnerabilities for decades.
I thought they were going to offer that the AI finds and then the AI produces so fixing the past won't help fix the future, but sure, a "just do better patches" message works, too, I guess