16 comments

[ 4.7 ms ] story [ 32.2 ms ] thread
what an annoying page

pointless videos, without enough time to read the code

I wonder if we're going to end up in an arms race between AIs masquerading as contributors (and security researchers) trying to introduce vulnerabilities into popular libraries, and AIs trying to detect and fix them.
If you are doing security of all things - why wouldn't you verify the provenance of your tooling and libs?
DeepMind = not available for use
Can we just flag this since it’s not actually a thing available to anyone?
4.5 million lines of code for one fix is impressive for an LLM agent, but there's so little detail in this post otherwise. Perhaps this is a tease to what will be released on Thursday...
Not a fan of future products being announced as if they are here but are basically is still in "Internal Research" stages. I'm not sure who this is really helping? except creating unnecessary anticipation which we kinda all know are in this loop lately of "yes it works great, but".
So it is a secret tool, they will "gradually reach out to interested maintainers of critical open source projects with CodeMender-generated patches", then they "hope to release CodeMender as a tool that can be used by all software developers".

Why is everything in "AI" shrouded in mystery, hidden behind $200 monthly payments and has glossy announcements. Just release the damn thing and let us test it. You know, like the software we write and that you steal from us.

It could instead be used to automate the finding of zero-days.

And $200 payments is probably revenue neutral for actual cost of this stuff.

I'm optimistic that it's easier to find/solve vulnerabilities via auto pen-testing / patching, and other security measures, than it will be to find/exploit vulnerabilities after - ie defense is easier in an auto-security world.

Does anyone disagree?

This is purely my intuition, but I'm interested in how others are thinking about it.

All this with the mega caveat of this assuming very widespread adoption of these defenses, which we know won't be true and auto-hacking may be rampant for a while.

In many small companies (e.g. startups), the attackers are far more experienced and skilled than are the defenders. For attacking specific targets, they also have the leisure of choosing the timing of the attack - maybe the CTO just boarded a four hour flight?
Does anybody know how such LLMs are trained/fine-tuned?
If you want to get reliable automated fixes today, I'd encourage you to enable code scanning on your repo. It's free for open-source repos and includes Copilot Autofix (also for free).

We've already seen more than 100,000 fixes applied with Autofix in the last 6 months, and we're constantly improving it. It's powered by CodeQL, our deterministic and in-depth static analysis engine, which also recently gained support for Rust.

To enable go to your repo -> Security -> code scanning.

Read more about how autofix works here: https://docs.github.com/en/code-security/code-scanning/manag...

And stay tuned for GitHub Universe in a few weeks for other relevant announcements ;).

Disclaimer: I'm the Product lead on detection & remediation engines at GitHub

Please tell your people about 2FA SMS delivery issues to certain West African countries. I'd rather have it via email or have the option of WhatsApp

I was fine before 2FA and I'm willing to pay to go without. Same username

Can't scan my code if I can't access my account

If this is released publicly it will be immediately used to find zero-days in software by black hats.
Remember kids! Everything is dual use.