logoalt Hacker News

nextaccountictoday at 1:11 AM2 repliesview on HN

The problem is that serious software is drowning in AI vulnerability reports. There is not enough manpower to analyze them properly. And if you ignore the reports (like curl is doing in their 1-month vacation), malicious actors will just exploit them. At some point it's inevitable to just rubber stamp whatever is coming from AI.

The actual, underlying problem is that software is buggy and current programming languages aren't fit for writing reliable software. There's a wide gap between the state of art in formal verification, and what is actually practiced in the industry. It's because of this general unreliability that AI has a large supply of vulnerabilities to find. The situation will only get better if software becomes reliable and written in solid foundations.

My guess is that AI will be even more useful to verify software (something like, write Lean or Coq proofs that the software is not vulnerable, things like that), rather than finding vulnerabilities piecemeal but still letting software be written in unsuitable languages, with no formal verification to prevent bugs from sneaking through.


Replies

cbzbctoday at 6:58 AM

That gap explains much of the spike. Companies who never used any scanning tools on much of their codebase are suddenly having that gap closed.

re-thctoday at 7:42 AM

> At some point it's inevitable to just rubber stamp whatever is coming from AI.

To make it worse? AI and even Fable can make things +50% and then -50% in different places. You can trade 1 bug for another.

So just "rubber stamp" doesn't make it better.