1

cross-posted from: https://slrpnk.net/post/36882585

An arms race is on the horizon. An AI project has produced a tool that finds bugs in software. And it has gotten very good at it. The bugs it finds is a treasure trove for criminals (incl. spy agencies) looking for vulns.

Of course the AI project is commercial and the code is proprietary closed-source. The company that made it is quite tight with the s/w, so far, partly due to liability control (a legit fear that if they are loose with distribution, criminals will get a flood of 0 days like crazy and exploit it, after which the AI corp could be liable).

The FOSS world seems to be at a serious disadvantage. This tool will be unavailable to the FOSS community. So devs will be blocked from a tool that finds bugs that criminals and FOSS adversaries will have. Well-funded project (i.e. mostly non-FOSS) can either offer bug bounties and/or afford the bug finding tool.

Is it time to ask govs to get off their ass and protect the commons? Should govs (the UN? NATO?) fund a competing project to find bugs in FOSS and inform devs? Or mandate that all such commercial projects lend their AI bots to the commons?

no comments (yet)
sorted by: hot top new old
there doesn't seem to be anything here
this post was submitted on 22 Apr 2026
1 points (100.0% liked)

Software Quality Assurance (FOSS and non-FOSS) 🛡✓

60 readers
2 users here now

This is a place to broadly discuss anything related to software QA, such as:

Related:

To report specific bugs, consider the following related community instead of posting here:

I would suggest only posting about specific bugs in !softwarequality@infosec.pub if it’s not merely a bug to report but rather to showcase an example for a broader philosophical discussion.

Or perhaps if a bug has notable infosec consequences, it’s also worth discussing in !softwarequality@infosec.pub.

founded 9 months ago
MODERATORS