logoalt Hacker News

rvzyesterday at 4:41 PM2 repliesview on HN

> Pwno is a AI cybersecurity startup...

We all know that LLMs were used to find these vulnerabilities, specifically on high impact projects. That's fine.

However, my only question is who actually provided the patch: The maintainers of FFmpeg? The LLM that is being used? Or the security researchers themselves after finding the issue?

It seems that these two statements about the issue are in conflict:

> We found and patched 6 memory vulnerabilities in FFmpeg in two days.

> Dec, 2025: avcodec/exif maintainer provided patch.

Replies

tredre3yesterday at 5:56 PM

PWNO provided a patch but it was rejected for being too large[1]. A maintainer fixed it himself[2]. I don't know if PWNO used a LLM but it seems clear that the maintainer had a preferred specific style in mind so it was likely hand written (albeit inspired by the initial patch).

1. https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21258

2. https://code.ffmpeg.org/FFmpeg/FFmpeg/commit/4bfac71ecd96488...

show 1 reply
9cb14c1ec0yesterday at 5:41 PM

> We all know that LLMs were used to find these vulnerabilities

How do we know that? You seem quite certain.

show 1 reply