Since February, the Firefox team has been working around the clock using frontier AI models to find and fix latent security vulnerabilities in the browser.
Defenders finally have a chance to win, decisively
I’m curious how it will turn out to be in a long term. Are we going to have safer software? Because not only defenders will have a powerful tool, but attackers too. But at the same time, number of bugs is finite… Can we in theory one day achieve literally zero bugs in codebase?
Another factor Mozilla didn’t mention (and that Anthropic wouldn’t like to emphasize) is that major LLMs are pretty similar. And their development is way more conservative than you’d think. They use similar architectures and formats, train from the same data, distill each other, further pollute the internet with the same output and so on. So if (for example) Mozilla red teams with Mythos, I’d posit it’s likely that attacker LLMs would find the same already-patched bugs, instead of something new.
…So yeah. I’d wager Mozilla’s sentiment is correct.
Are we going to have safer software? Because not only defenders will have a powerful tool, but attackers too.
Probably not safer software, but the window of time for a bug being known and exploitable will be shortened greatly. Instead of 0-days, we might have 0-minutes.
That’s assuming these ridiculous AI systems are rolling deployments that fast, so maybe that idea’s nonsense.
Not zero bugs, but it should help. A benefit for defenders is that they can use AI review on code before they make it public or release it in a stable release
I’m curious how it will turn out to be in a long term. Are we going to have safer software? Because not only defenders will have a powerful tool, but attackers too. But at the same time, number of bugs is finite… Can we in theory one day achieve literally zero bugs in codebase?
It does seem advantageous to the defender.
Another factor Mozilla didn’t mention (and that Anthropic wouldn’t like to emphasize) is that major LLMs are pretty similar. And their development is way more conservative than you’d think. They use similar architectures and formats, train from the same data, distill each other, further pollute the internet with the same output and so on. So if (for example) Mozilla red teams with Mythos, I’d posit it’s likely that attacker LLMs would find the same already-patched bugs, instead of something new.
…So yeah. I’d wager Mozilla’s sentiment is correct.
You can achieve zero bugs through liberal use of rm.
You can achieve the same effect with a hammer
Some LLMs will agree with you
Probably not safer software, but the window of time for a bug being known and exploitable will be shortened greatly. Instead of 0-days, we might have 0-minutes.
That’s assuming these ridiculous AI systems are rolling deployments that fast, so maybe that idea’s nonsense.
It is theoretically possible by using formal verification. Which is getting easier due to lean. But still impractical.
Not zero bugs, but it should help. A benefit for defenders is that they can use AI review on code before they make it public or release it in a stable release