Vulnerability Researcher here… Unless your target has a security bounty process or reward; leave them alone. You don’t pentest a company without a contract that specified what you can and can’t test. Although I would personally appreciate and thank a well meaning security researchers efforts most companies don’t. I have reported 0days for companies that HAVE bounties and they still tried to put me in hot water over disclosure.. Not worth the risk these days.
We had a situation in Sweden when a person found that if you remove a part of the url (/.../something -> /.../) for a online medical help line service, they got back a open directory listing which included files with medical data of other patients. This finding was then sent to a journalist that contacted the company and made a news article of it. The company accused the tipster and journalist for unlawful hacking and the police opened a case.
But was it? Is it pen testing to remove part of an URL? People debated this question a bit in articles, but then the case was dropped. The line between pen testing and just normal usage of the internet is not a clear line, but it seems that we all agree that there is a line somewhere and that common sense should guide us in some sense.
You walk past a ministry office and notice that there is nobody at the door checking people entering, you walk in, you find an office door open, many binders on the shelves, nobody present. You read through the binders, pull out the drawers and see private info etc. You then walk out and send a mail about this. What do you think is going to happen?
This dive instructor was using this insurance company for his clients, and thus had a responsibility to prevent any known risk (data privacy loss in this case).
So he had two options: take his clients and his business to another insurer (and still inform all his current and previous clients about their outstanding risk), or try to help the insurer resolve the risk.
Good guideline advice but it seems you didn't read the article. Their personal data was at risk here. Leaving them alone would very likely result in a breach of this person's data. Both he and you have an ethical responsibility to at minimum notify the business of this problem and follow up with it.
> And the real irony? The legal threats are the reputation damage. Not the vulnerability itself - vulnerabilities happen to everyone. It's the response that tells you everything about an organization's security culture.
See. The moral of the story is that the entity care more about their face than the responsibility to fix the bug, that's the biggest issue.
He also pointed out bugs do happens and those are reasonable, and he agreed to expose them in an ethical manner -- but the goodwill, no matter well or ill intentioned, those responses may not come with the same good tolerations, especially when it comes to "national" level stuff where those bureaucrats knows nothing about tech but they knew it has political consequences, a "deface" if it was exposed.
Also, I happened to work with them before and know exactly why they have a lot of legal documents and proceedings, and that's because of bureaucracy, the bad kind, the corrupt kind of bureaucracy such that every wrong move you inflicted will give you huge, if not capitcal punishment, so in order to protect their interest, they rather do nothing as it is unfortunately the best thing. The risk associated of fixing that bug is so high so they rather not take it, and let it rot.
There's a lot of system in Hong Kong that is exactly like that, and the code just stay rotten until the next batch of money comes in and open up new theatre of corruption. Rinse and repeat
Python and PyTorch all call out to C libraries… I don’t get what he means by “proving LLMs can run without Python and PyTorch” at all. Seems like they don’t understand basic fundamentals about things here…
Oh.. So you start doing something new and you're top 10% without practicing or being bad at it first? I'd love to test that to see if it's the case... Your logic is "You're not the best ever to do something so you are not doing it" means you have probably never done a single thing your entire life. Maybe you should just stop.
Obviously familiar with Fabrice Bellard and his technical contributions but it seems like he is a pretty private person and he keeps to himself. I don't really know much about him as a person.
As someone who does it for a living the challenge can be in both. However this article is asking its agents to do CTF like challenges which I am sure the respective LLMs have seen millions of so it can essentially regurgitate a large part of the exploit code. This is especially true for the OOB/RW primitive API.
Yea, this entire repo/article seems super misleading to me. Not to mention asking it to generate API for OOB R/W primitives is essentially asking it to regurgitate what exists on thousands of github repos and CTF toolkits.
Vulnerability Researcher/Reverse Eng here... Aspects about it generating an API for read/write primitives are simply it regurgitating tons of APIs that exist already. Its still cool, but its not like it invented the primitives or any novel technique. Also, this toy JS is similar to binaries you'd find in a CTF. Of course it will be able to solve majority of those. I am curious though.. Latest OpenAI models don't seem to want to generate any real exploit code. Is there a prompt jail break or something being used here?
I had similar questions when reading the original article. I’m also interested in how the agent is constructed. From my experience, it can be very difficult to implement exploits without access to debugging tools, so I’m curious whether pwndbg or similar tools are included in the agent’s toolset and, if so, how they are integrated. Existing open-source GDB MCPs don’t work very well unless further optimized, at least the last time I checked.
reply