"Getting the tool to generate a first proper scan and analysis would be great, whoever did it."
"That scan, which analyzed curl's git repository at a recent master-branch commit, was sent back to him earlier this month, and it found just five things that it claimed were "confirmed security vulnerabilities" in cURL. Saying he had expected an extensive list of vulnerabilities, Stenberg wrote that the report "felt like nothing," and that feeling was further validated by a review of Mythos' findings."
"Once my curl security team fellows and I had poked on this short list for a number of hours and dug into the details, we had trimmed the list down and were left with one confirmed vulnerability," Stenberg said, bringing us back to the aforementioned number."
"As for the other four, three turned out to be false positives that pointed out cURL shortcomings already noted in API documentation, while the team deemed the fourth to be just a simple bug."
Anthropic’s Mythos was described as highly capable at finding security holes, but a scan of cURL’s git repository produced limited results. Daniel Stenberg expected a large vulnerability list after being promised access through Project Glasswing, yet he did not receive direct model access. Instead, someone with access ran Mythos against cURL and sent a report. The report analyzed a recent master-branch commit and claimed five confirmed security vulnerabilities. Stenberg’s security team reviewed the findings for hours, trimmed the list, and ended with one confirmed vulnerability. Three items were false positives tied to issues already documented in API materials, and the remaining item was treated as a simple bug.
Read at theregister
Unable to calculate read time
Collection
[
|
...
]