If this is true then it's a great tool to help identify and help sort out bugs and other security flaws in software quicker than previously possible. It's also potentially bad, as some companies will see this as an opportunity to replace existing staff with this tool, which would be foolhardy as you'd still need to fix the code. And if your software is fundamentally just badly designed - such as Windows - how long before someone manages to identify a few dozen hundred zero-days in the software and start targeting those for ransom/fun/spite?

Some companies are really going to have to up their game.

Good if companies use it (or similar) to find and fix bugs first.

Bad if, as is more likely, a lot simply don't bother fixing and still keep adding crap for marketing reasons, etc.

On average I expect this is bad.

Just like other instances of AI, how much effort will go into fixing hallucinations : Day0 bugs that don't actually exist?

Icon -clearly psychedlic hallucinations Watson.

Over on LWN there's an article about a similar story of using AI against Python. The AI found around 500 bugs and 10-15% were false positives.

[1]https://lwn.net/Articles/1067234/

[1] https://lwn.net/SubscriberLink/1067234/e5312bed2037a102/

So only about 400 actual bugs, then. Phew, that's a relief!

Well, "hallucinations" 1 are not "bugs". They're a consequence of the design and operationalisation of the software. A feature, if you like (and one, interestingly, that they share with humans).

1 Terrible term – "confabulations" is probably more appropriate, or even "get shit wrong".

We aare already fixing non exploitable bugs, this will detect a lot of bugs that potentially cannot be exploited.. how many Strings having passwords have I fixed in Java, and none are exploitable.. or log4j, can't be exploited in our config yet we had to fix it, etc etc

.. because there's no way they want to fix all the bugs they keep introducing by Bug Tuesday.

After all, who would continue to subscribe when the FOMO on security risks no longer applies?

Of course Mythos didn't find any bugs that humans COULDN'T have found. That's a tautology. They're both examining the same code, it is impossible for there to be bugs only Mythos could find and humans could never find no matter how closely they looked or for how long.

I suppose the statement should be "Mythos found bugs that humans could have but didn't ".

Around these parts were highly sceptical about AI, and rightly so. But in this example, there was nothing stopping anyone going looking through the code themselves, but the relevant point is that either they hadn't looked, or they hadn't spotted the bugs.

Open source is a bit like peer review in science - yes, anybody can check, that isn't of itself an assurance. Hopefully AI can help FOSS devs and maintainers to find the bugs, I hope they don't use AI to try and write code.

Until I see multiple detailed write-ups of what Mythos is being given and producing, with concrete PoCs that actually expose the issue, I'm still taking this with multiple container ships of salt. But this does expose the rather awkward hypothetical- at best (assuming any of this is true), we can build idiots that can kick down barns, but appear to be drawing a blank on systems that can write and maintain secure code.

There are whole classes of bugs that are difficult for a human to find as they require so much information to be held in the head at the same time.

To use a slightly off-topic example: I have found this on a project where a very well respected DER (who was part of the DO-178x standard development team) failed to spot issues in requirements during their detailed reviews that tools written in Python were able to find (by comparing large datasets extracted from the requirements). It is not that the person isn’t brilliant, just that they are human!

Mythos has found no issues with our DO-178C DAL-A certifiable OS code.

Anon: because my company has not officially made any announcement.

The pertinent question is, surely, how many (presumably expert) humans would it have taken to find all those bugs, and how long would it have taken to find them.

As needed for [1]Linus's Law to be effective.

AI will be be used by the bad guys as well as the good ones; but the ultimate losers will be the likes of Israel's NSO group and the world will be a safer place.

[1] https://en.wikipedia.org/wiki/Linus%27s_law

And sort the bugs.

No !

Developers have always had "the chance" to be on top of security, at the condition that their management gives them the time to do the job right (yeah, I know, fat chance).

The only thing this tool will do is allow manglement to shorten dev time even further because "when you're done, just hand it over to AI and it'll sort that out".

In other words, this is yet another "tool" that is just going to end up being a crutch to a brain function humans don't use anymore.

I have one question : how many of you remember all the phone numbers of your family and personal friends without checking your smartphone ?

I can't even remember my own wife's number. If I lost my smartphone, I wouldn't know where to call to get help (or how, given phone booths have all but disappeared).

How's that for being borged into the Collective ?

> The only thing this tool will do is allow manglement to shorten dev time even further …

Will it though? What would be the point of finding bugs if you've no intention of fixing them? And you need devs for that.

If there's one thing using Opus 4.6 has taught me, is it sure as hell has a relaxed attitude to implementing secure code. (Better than some LLMs, no worse than others.).

Reminds me of when Purify came out. We closed a crash that resisted for month in an afternoon. It was a game changer and significantly improved C/C++ software robustness.

Now to get lasting benefits you need to make that part of the process, run as part of CI, mute the false positives, and assign time for the team to keep ahead of the report stream. Where I was working then it did not happen and it remained a last resort tool. Where the tool will be used intermittently, the attackers will still have an edge, using the tool once in a clever way, finding a new zero-day.

Can you guess whether it will be the excuse to cut the dev team, or hire a new guy to run the new process ?

Note: for the younger audience, Purify is the closed source ancestor to Valgrind, finding memory usage bugs through object code instrumentation.