Keith Kitchen

HN Summary: Vulnerability Research Is Cooked

CreatedRead3 min read

HN Summary: Vulnerability Research Is Cooked

Veteran security researcher Thomas Ptacek (sockpuppet.org) argues that AI coding agents have effectively ended the scarcity economics of vulnerability research. With models like Claude able to generate hundreds of validated zero-day vulnerabilities per day by simply pointing an agent at a codebase, the entire field of manual vulnerability research faces obsolescence. Chrome, iOS, Android, and every networked device on earth should expect a radical increase in exploit volume.

The Story

Ptacek’s analysis draws from Anthropic’s Frontier Red Team, which generated 500 validated high-severity vulnerabilities using Claude — by running a trivial 15-minute bash script across source trees. The process: feed every file to a Claude Code prompt asking for exploitable vulnerabilities, collect reports, verify each one. Success rate: near 100%.

Vulnerability research historically required elite expertise — understanding memory corruption, font library internals, allocator grooming. These were the “giant, time-consuming jigsaw puzzles” that protected software from automated exploitation. LLMs have solved the puzzle; what’s left is the chess. Vendors who relied on “security through scarcity” are well-positioned; those with slow/no patching cycles are in trouble.

Key Takeaways

  • Anthropic’s Claude generated 500 validated high-severity vulnerabilities using a 15-minute script
  • The bottleneck in security was always elite human attention, not bug complexity — AI eliminates that bottleneck
  • Vulnerabilities will be found in every target simultaneously: hospital equipment, regional banks, IoT devices
  • Chrome, iOS, Android autoupdate — smaller vendors with physical/patch-heavy update cycles face existential risk
  • The bug bounty economy faces collapse as CVE flood devalues individual vulnerability reports
  • The legal framework (CFAA) was designed for human-scale research, not agent-scale exploitation

Community Reaction

“Within the next few months, coding agents will drastically alter both the practice and the economics of exploit development. Substantial amounts of high-impact vulnerability research will happen simply by pointing an agent at a source tree and typing ‘find me zero days’.” — tptacek

Debate centered on whether AI-powered defenders could keep pace:

“If LLMs can find vulnerabilities, why not run them to patch all of them?” — stavros

“Because not all software gets auto-updated. Most of it does not!” — woeirua

One counterargument noted that fixing introduces new bugs — every code change is a potential regression. Others pointed to formal verification as a potential long-term answer, though consensus was that most software will remain exploitable indefinitely.

Media & Sources

💬 Discussion: HN Thread — 119 pts, 86 comments 🔗 Read: sockpuppet.org full analysis — by Thomas Ptacek 🔗 Read: Anthropic Red Team: 500 zero-days — primary research source 🔗 Read: Carlini interview on AI bug finding — methodology details 🖼️ Visual: LLM exploit pipeline

Graph View

Graph View

Map

All tags
#ai816 notes#general-note344 notes#infra290 notes#2023277 notes#policy271 notes#2022257 notes#tech-journal247 notes#2024220 notes#keyword-index183 notes#thoughtpiece174 notes#2021170 notes#market-news163 notes#2025134 notes#research-digest120 notes#2020107 notes#finance101 notes#generalnote82 notes#economy77 notes#security74 notes#philosophy71 notes#portfolio66 notes#product65 notes#techjournal63 notes#behavior62 notes#hardware62 notes#data51 notes#interactive51 notes#researchdigest50 notes#202642 notes#governance40 notes#open39 notes#energy37 notes#tech37 notes#crypto36 notes#blog34 notes#external34 notes