zlacker

[return to "LLM and Bug Finding: Insights from a $2M Winning Team in the White House's AIxCC"]
1. hqzhao+Mb[view] [source] 2024-08-16 21:23:19
>>garlic+(OP)
I'm part of the team, and we used LLM agents extensively for smart bug finding and patching. I'm happy to discuss some insights, and share all of the approaches after grand final :)
◧◩
2. doctor+Uh[view] [source] 2024-08-16 22:20:02
>>hqzhao+Mb
Everyone thinks bug bounties should be higher. How high should they be? Who should pay for them?
◧◩◪
3. hqzhao+Bj[view] [source] 2024-08-16 22:35:54
>>doctor+Uh
It really depends on the target and the quality of the vulnerability. For example, low-quality software on GitHub might not warrant high bug bounties, and that's understandable. However, critical components like KVM, ESXi, WebKit, etc., need to be taken much more seriously.

For vendor-specific software, the responsibility to pay should fall on the vendor. When it comes to open-source software, a foundation funded by the vendors who rely on it for core productivity would be ideal.

For high-quality vulnerabilities, especially those that can demonstrate exploitability without any prerequisites (e.g., zero-click remote jailbreaks), the bounties should be on par with those offered at competitions like Pwn2Own. :)

◧◩◪◨
4. 77pt77+1A[view] [source] 2024-08-17 03:20:55
>>hqzhao+Bj
> KVM, ESXi, WebKit, etc., need to be taken much more seriously.

Openssl

[go to top]