Well, maybe not... see Simon Willison's ongoing reporting [0] on all the bug reports for `curl` people are finding with LLMs.

Interesting to see them go from "DON'T GIVE US AI SLOP!" to "Wow, lots of actual bugs found, including [ed: at least one] bug found by two people!"

[0]: https://simonwillison.net/search/?q=curl

curl is both very high-profile and very security-central though. A lot of people would happily pay $100 to tuck "found a curl vulnerability" under their belt. I'm not sure that's even true for, say, Notepad++, much less all the random FOSS projects with 1 maintainer and 50 stars whose names I've never thought about twice.

But it's pretty cool that LLM bug hunting is pretty cheap... the 1-person projects can do it themselves, don't have to contract out to some huge security company.

> Interesting to see them go from "DON'T GIVE US AI SLOP!" to "Wow, lots of actual bugs found, including [ed: at least one] bug found by two people!"

Both of those things can be true.

Keep in mind that Opus detected most of these vulnerabilities, it just didn’t exploit them (says so much in the article).

I’m honestly not convinced this is changing the landscape significantly. It’s simple a bit better at self directing.