zlacker

[return to "LLM and Bug Finding: Insights from a $2M Winning Team in the White House's AIxCC"]
1. hqzhao+Mb[view] [source] 2024-08-16 21:23:19
>>garlic+(OP)
I'm part of the team, and we used LLM agents extensively for smart bug finding and patching. I'm happy to discuss some insights, and share all of the approaches after grand final :)
◧◩
2. doctor+Uh[view] [source] 2024-08-16 22:20:02
>>hqzhao+Mb
Everyone thinks bug bounties should be higher. How high should they be? Who should pay for them?
◧◩◪
3. hqzhao+Bj[view] [source] 2024-08-16 22:35:54
>>doctor+Uh
It really depends on the target and the quality of the vulnerability. For example, low-quality software on GitHub might not warrant high bug bounties, and that's understandable. However, critical components like KVM, ESXi, WebKit, etc., need to be taken much more seriously.

For vendor-specific software, the responsibility to pay should fall on the vendor. When it comes to open-source software, a foundation funded by the vendors who rely on it for core productivity would be ideal.

For high-quality vulnerabilities, especially those that can demonstrate exploitability without any prerequisites (e.g., zero-click remote jailbreaks), the bounties should be on par with those offered at competitions like Pwn2Own. :)

◧◩◪◨
4. doctor+Eq[view] [source] 2024-08-17 00:10:13
>>hqzhao+Bj
It seems really hard for people to like, name some vulnerabilities, name some prices. I'm glad you are playing along. Which scenario makes more sense:

    The Punchline: Microsoft pays $10m for vulnerabilities like the kind used to exploit SolarWinds and the Azure token audience vulnerability.

    The Status Quo: Thousands of people pay CrowdStrike a total of billions of dollars, in exchange for urgent patching when vulnerabilities become known.
Okay, do you see what I am getting at? On the one hand, if you pay bug bounties, the bugs get fixed, and they sure seem expensive. But if you look into how much money is spent on valueless security theatre, it is a total drop in the bucket. But CrowdStrike hires security researchers!

So what should the prices really be? For which vulnerabilities? The SolarWinds issue is probably worth more than $10m, if people are willing to pay 100x more to CrowdStrike for nothing.

◧◩◪◨⬒
5. saagar+XC[view] [source] 2024-08-17 04:37:52
>>doctor+Eq
The real question here is who is willing to pay $10 million for such a bug.
◧◩◪◨⬒⬓
6. tptace+1M1[view] [source] 2024-08-17 18:10:21
>>saagar+XC
Nobody. That far exceeds the current market prices of the most in-demand bugs.
◧◩◪◨⬒⬓⬔
7. doctor+CS1[view] [source] 2024-08-17 18:57:45
>>tptace+1M1
What is this market you speak of? Can you link me to it and show me the prices you are talking about? The Microsoft key vulnerability leaked all the State Department emails, and probably a lot more. It could have been used to compromise a lot of Azure. What is comparable?
[go to top]