Any eval of the bug finding, patching or debugging capabilities of LLMs that relies on human eyeballs/judgement to determine success should be considered suspect. In these domains precision matters, and LLMs can be very convincing while still being very wrong.

— Sean Heelan (@seanhn) March 28, 2024

Bug finding is the easier of these handle, in the sense that you can require the LLM be able to provide a trigger. Patching/remediation is harder. LLMs regularly generate patches that look correct and pass the failing test, but are wrong and may even introduce more subtle bugs.

— Sean Heelan (@seanhn) March 28, 2024

Downside of requiring a trigger is it can conflate ability to reason about code/find bugs with other things, such as ability to write code. e.g. if the eval corpus is Linux kernel vulns, or PHP bugs, then you're requiring strong understanding of kernel/php programming as well.

— Sean Heelan (@seanhn) March 28, 2024

Excellent blog for learning Linux kernel internals, networking, fuzzing and syzkaller:
Credits @andreyknvlhttps://t.co/9QQvsNGWPV#Linux #cybersecurity pic.twitter.com/9EWP7hrIuS

— 0xor0ne (@0xor0ne) March 29, 2024

you can tell a lot about a person based on whether they think of vectors as arrows or list of numbers

— shaurya (@shauseth) March 28, 2024

neither, a vector is just an element of a vector space

— sycamore, B.S. M.A. Ph.D in gremlinism (@sycamoreherlihy) March 29, 2024

shot chaser pic.twitter.com/t6tdkaMXcO

— cts🌸 (@gf_256) March 29, 2024

I don't often tweet about patched bugs, but here's one that looks interesting - let's discuss ZDI-24-195 or kernel commit 38d20c62903d669693a1869aa68c4dd5674e2544, in a short 🧵

— Shift (@Shiftreduce) March 28, 2024

Another week, more badass research from the community 📰

Some Linux goodness from @notselwyn and @XI_Research

A low-level primer from @Steph3nSims

New techniques for automated IoT bug hunting from @cl4sm et al

+ job postings and more 👇https://t.co/jF1jrKMk3C

— exploits.club (@exploitsclub) March 28, 2024