Anterograde amnesia. Opus 4.1 happily raising a javascript URI XSS vector in the CSS's url() function. Nope. What's next, vbscript: ?

But it's the first model, I think, that generates codeFlows in SARIF.

I find it fascinating that `gpt5-codex` is making the same mistake often when generating a SARIF file. The last "locations" object is not properly closed and it closes the array before... then it craps out.

Ok, so this MUST be the attackers behind Nx at play. I just started analyzing the exfil mechanism through GitHub repos, and wow... This is bad news. We've got a worm on our hands.

We just released our deep look at Claude Code and Codex on real web apps for finding vulns. Some good, some pretty bad!

nx compromised. malware uses Claude Code CLI/Gemini CLI to explore the filesystem -

ty, our upcoming static type checker and language server for Python, is accidentally on the front page of HN. We're rapidly closing in on an initial "experimental preview release"...

New export controls incoming, Bloomberg reporting: "But if an AI company wants to fine-tune a general-purpose open weight model for a specific purpose, and that process uses a significant amount of computing power, they would need to apply for a US government license to do so in

Having seen xbow in action: if you’re making a living from bug bounties, and relying on generic vulnerability classes, I would consider alternative career plans

Was chatting with a well-known founder yesterday about the "founder mode" discussion. We were both wondering if people would misinterpret it, and undervalue the importance of hiring great leaders. Steve Jobs, the canonical example of "founder mode", was also gifted at

This strange tweet got >25k retweets. The author sounds confident, and he uses lots of hex and jargon. There are red flags though... like what's up with the DEI stuff, and who says "stack trace dump"? Let's take a closer look... 🧵1/n

Excited to announce my preprint "eyeballvul: a future-proof benchmark for vulnerability detection in the wild". I create a benchmark to evaluate the vulnerability detection capabilities of long-context models on entire codebases, containing over 24,000 vulnerabilities, then

A little prompt hack to peer into the inner mind of claude: "from now, use $$ instead of <> tags"

There is rumbling afoot of a series of articles coming that will be targeting and possibly even naming and shaming both CISOs and VCs. Without naming my sources and not that it's important to do so anyway, because the following article does a good job of giving a high level lay

📽️ New 4 hour (lol) video lecture on YouTube: "Let’s reproduce GPT-2 (124M)" https://t.co/NMIVD1V6zr The video ended up so long because it is... comprehensive: we start with empty file and end up with a GPT-2 (124M) model: - first we build the GPT-2 network - then we optimize

Hey, for anyone who wanted to see this slide deck, it was a keynote about the 0day market, but it commented on public research vs saleable products. I have put it here: https://t.co/XZ89wFwLVJ // cc @chompie1337 @bsdaemon

If you are running into broken GitHub integrations today, it's because GitHub issuecomment IDs have just passed the maximum value of i32. For example @rustlang's rfcbot is currently out of commission with an i32 overflow.

https://t.co/3OjegynkIU

Bringing in a dependency allows me to just get shit done at the cost of quick validation. I'm not generally going to look at the code, and neither are you. The same is true of builtins for your language/OS, which can have _worse_ attack surface from trying to please everyone

🎩📷 Lady Whistledown has the scoop! @Netflix has paid out $1,000,000 in bounties, thanks to the 5,630 researchers who made this possible, read on to learn more about how we secure the ton 📷 https://t.co/D4zWV5ffi7… #Netflix #BugBounty #Bridgerton📷