Non-determinism is an issue with patching CVEs
Key takeaways
- Even before Claude Mythos was announced, there were clear signs that the next era of CVEs would be found by AI models.
- Most organizations don't have an up-to-date manifest of every package in their stack.
- This explosion of CVEs should encourage developers to embrace a system of record for their installed packages.
Even before Claude Mythos was announced, there were clear signs that the next era of CVEs would be found by AI models. Big Sleep found a zero-day vulnerability in SQLite, Microsoft Copilot found 20+ CVEs in bootloaders, and DARPA launched AIx CC to incentivize AI CVE discovery.
Now, with models like Claude Mythos emerging, there are two major takeaways: we'll see a rapid acceleration in the rate of CVEs as AI models improve, and we'll detect more CVEs that have persisted through versions, evading researchers for decades.
One of the trickiest categories is package CVEs. Most organizations don't have an up-to-date manifest of every package in their stack. System-level package managers like dnf, apt, and zypper, or toolchain package managers like pip, npm, and cargo, resolve package versions that vary across platforms, environments, and time. To feel confident that a vulnerable dependency isn't being used, organizations have to manually scan their entire stack. Couple that with ever-increasing number of CVEs, and the problem quickly becomes unmanageable.