Scoopfeeds — Intelligent news, curated.
agentic-ai

Models finding software vulnerabilities is not the primary source of cybersecurity risk

LessWrong · May 14, 2026, 3:39 AM

I have tried and failed to write a longer post many times, so here goes a short one with less detail.Discourse has primarily focused on models' ability to develop new exploits against important software from scratch. That capability is impressive, but the tech industry has been dealing with people regularly finding 0-day exploits for important pieces of software for more than twenty years. Having to patch these vulnerabilities at a 10xed or even 100xed cadence for a fixed period of time is well within the resources of Mozilla, the Linux Foundation, and Microsoft. Additionally, the lag time between "patch shipped" and "patch reverse engineered and weaponized by a criminal organization" was so long that most people didn't notice. And importantly, such capabilities are dual sided; the defenders will have access to them and will be using the models to prevent their engineers from releasing new software with bugs. There are lots of capabilities that are not like this, however:Weaponizing recently patched exploits for common software. Right now, for widely used C projects, we get enough publicly disclosed vulnerabilities to develop exploits with. Every amateur computer hacker has the experience of seeing a CVE for a version number currently in use by a service and being surprised when it's totally useless. Part of that is because lots of CVEs are inflated, but part of it is just that modern memory protections mean that it's very hard to develop these exploits. But AI reduces the time to develop these exploits and will even help with your criminal activity if you want. If the output of "stop-the-presses" vulnerabilities for teams slows down to "one a week", but each such vulnerability is now instantly exploited as soon as open source projects ship a patch, that seems like a lasting loss for defense.AI-enabled social engineering. Right now black hat groups can only run really sophisticated, long term compromise attempts on Guillermo Rauch. But when the bottleneck for conduc

Article preview — originally published by LessWrong. Full story at the source.
Read full story on LessWrong → More top stories

More in agentic-ai

OpenAI Blog
Building a safe, effective sandbox to enable Codex on Windows
LessWrong
Intervening on Sparse, Anchored Concepts
LessWrong
Algorithmic Perfection
LessWrong
The primary sources of near-term cybersecurity risk
LessWrong
Claude is Now Alignment Pretrained
Aggregated and edited by the Scoop newsroom. We surface news from LessWrong alongside other reporting so you can compare coverage in one place. Editorial policy · Corrections · About Scoop