Paraphrasing: "The world's top security researches and AI labs are pouring all their VC money into finding as many security issues in curl as possible". At the same time, we know that curl is run by volunteers that needs to handle all of this. I'm not saying that we shouldn't do security review of open source libraries, just saying that this situation puts a lot of pressure on the maintainers.
The second unnerving thing is that many of the listed vulnerabilites target embedded libcurl; a library with a much slower update cycle. I'm guessing that many of the listed bugs are still in active use, inside the thousands of applications that use curl internally. Another tricky situation.
Both of these stand in contrast to the posts "braggy" style of "we found the most vulnerabilities of all!!!".
"my experience from working with them on and off for many months now is nothing but good. Skilled, professional engineers without any bureaucracy. They know their stuff, and they've been very good at listening in and adjusting for our needs and wants."
What stood out the most to me here was their pitch that harness currently matters most, over and above a specific model capacity. That’s one of my conclusions reading cloudflare’s Mythos debrief as well — the work right now that’s most valuable is in getting the models to loop effectively on tasks - so it’s super interesting to read the same perspective from a clearly effective org.
I'm thinking it's rapidly not becoming "can you find a security issue in XYZ?" and "what is the cost of finding a security issue in XYZ?". I want to know what the spend was.
11 comments
[ 3.7 ms ] story [ 26.1 ms ] threadParaphrasing: "The world's top security researches and AI labs are pouring all their VC money into finding as many security issues in curl as possible". At the same time, we know that curl is run by volunteers that needs to handle all of this. I'm not saying that we shouldn't do security review of open source libraries, just saying that this situation puts a lot of pressure on the maintainers.
The second unnerving thing is that many of the listed vulnerabilites target embedded libcurl; a library with a much slower update cycle. I'm guessing that many of the listed bugs are still in active use, inside the thousands of applications that use curl internally. Another tricky situation.
Both of these stand in contrast to the posts "braggy" style of "we found the most vulnerabilities of all!!!".
[0] https://youtu.be/t4wqREXVEAc
"my experience from working with them on and off for many months now is nothing but good. Skilled, professional engineers without any bureaucracy. They know their stuff, and they've been very good at listening in and adjusting for our needs and wants."
Who am I? I'm Daniel, curl lead developer.
https://mastodon.social/@bagder/116807425534711479
What stood out the most to me here was their pitch that harness currently matters most, over and above a specific model capacity. That’s one of my conclusions reading cloudflare’s Mythos debrief as well — the work right now that’s most valuable is in getting the models to loop effectively on tasks - so it’s super interesting to read the same perspective from a clearly effective org.