As noted earlier, Mozilla’s characterization of AI-assisted vulnerability discovery as a game changer has been met with massive, vocal skepticism in lots of quarters. Critics initially scoffed when Mozilla didn’t obtain CVE designations for any of the 271 vulnerabilities. Like many developers, nonetheless, Mozilla doesn’t obtain CVE listings for internally discovered security bugs. As an alternative, they’re bundled right into a single patch. Normally, Bugzilla reports detailing these “rollups” are hidden for several months after being fixed to guard those that are slow to patch. Now that Mozilla has revealed a dozen of them, the identical critics will certainly claim they too were cherry-picked and conceal less accurate results.
Of the 271 bugs found using Mythos, 180 were sec-high, Mozilla’s highest designation for internally reported vulnerabilities. A majority of these vulnerabilities may be exploited through normal user behavior, equivalent to browsing to an internet page. (The one higher rating, sec-critical, is reserved for zero-days.) One other 80 were sec-moderate, and 11 were sec-low.
The critics are right to maintain pushing back. Hype is a key method for inflating the already high puffed-up valuations of AI firms. Given the extensive praise Mozilla has given to Mythos, it’s easy for much more trusting people to wonder: What’s it getting in return? Removed from settling the talk, Thursday’s elaborations are prone to only further stoke the controversy.
To listen to Grinstead tell it, nonetheless, the main points are clear evidence of the usefulness of AI-assisted discovery, and Mozilla’s motivation is easy.
“Persons are a bit burned from the last 12 months of those slop commits so we felt it was essential to point out a few of our work, open up a number of the bugs, and speak about it in somewhat more detail as a solution to hopefully spur some motion or proceed the conversation,” he said. “There’s no sort of selling angle here. Our team has completely bought in on this approach. We try to get a message out about this system generally and never any specific model provider, company, or anything like that.”