Thankfully we've historically had a fair amount of attention (and investment in our security) by both customers, our oss users and people our ecosystem.
The interesting thing is that the business model seems to have changed. Why collect a 10k bounty when you can advertise a 3k/month scanner?
In theory, the vulnerability was always there, and it's better to find out than not find out.
In practice, how much effort it is to find vulnerabilities matters a lot. We're in a time where things that used to be quite hard are now easy and the rate of discovery will change.
This rate of discovery matters a lot -- for OSS maintainer burnout if nothing else.
It matters in a positive sense; it's a thing that enables you to make some predictions about the state of the world tomorrow. It does not matter in a normative sense; OSS maintainer burnout is strictly a less important concern than software security, which is an externality of software development.
> OSS maintainer burnout is strictly a less important concern than software security,
Burnout means that no more fixes come - ever - and that things sit vulnerable until everyone relying on that tool takes the time to build and switch to a replacement.
Maintainer burnout is perhaps the single biggest threat to the ecosystem right now.
That can't possibly be an argument for forbearing security vulnerabilities in software. It's an argument for prioritizing hypothetical flaws over real ones.
If these flaws are so important, users of open source (business or individual) need to pay up - literally. Pay the maintainers enough to justify spending the time on these things, including the opportunity cost of not working at other software jobs during that time.
Pay each maintainer an absolute minimum of $200K a year or shut up and do the work yourself - in a fork if necessary.
This comment should not be greyed out. I feel that we all forget this far too much. You've exaggerated it somewhat.
There is no right to demand someone does something for free, and we have gotten dependent on people doing things for free. We don't have to pay people but if we don't want to, then we have to be willing to do it ourselves. Otherwise it could go away at any moment and we have no recourse.
Stated differently -- the way OSS software is currently maintained and users are conditioned to behave, there is a capacity problem if the rate of discovery surges too sharply.
And if the capacity is overshot (which I believe is happening as we speak), users end up in extended states of being insecure.
I'm also one of the unwashed rabble who believes there is a large practical difference between a vulnerability that exists but isn't found and one that is widely known and exploitable.
There's two fallacious arguments encoded here. The first is obvious, that we should prioritize hypothetical future vulnerabilities and fixes over ones we know exist today. The second is subtler and more insidious: it's the idea that the goal of software is to ensure every package and project is viable, that everyone who wants to deploy it should be able to do so. The risks this attitude pose to users, ordinary people who have no agency over which software packages you use to serve their needs, are a pure externality. The idea that a project serving real human users might opt to compromise availability rather than putting people at risk is never even broached.
This is so far outside of reality that I can't believe I'm even commenting on it.
If you believe people don't use software that is unmaintained and hilariously out of date I genuinely don't know what world you live in or how to deliver the bad news to you.
Oh, I agree that today there's a general expectation that externalized security doesn't matter and someone will always come around to rescue you (and your unmaintained dependency) from disaster. I'm just saying: infinite free bugs is likely to disrupt that equilibrium.
I dunno man ... I produced a few things that got a few github stars over the years.
At the risk of repeating myself -- this is targeted at other OSS maintainers, not random people who might have done a git pull of some random project a couple years ago.
That happens a lot though, even OpenAI is attempting to lock functionality (like computer-use, 2 weeks ago) behind a binary -- Mac only they said, no EU. I saw a guy crack it the same day, ported to Windows. There are many many things like Rive that use binaries, obfuscation and uglification has been the name of the proprietary game for a long ass time, with the only protection being an assumption that "nobody would go through that trouble", yeah an LLM would ralph loop through it all day long, and make what you paid good money for pretty much free for anyone to use whenever they feel like it, we're back to the the "you wouldn't download a car would you?" argument
With all respect to the Anthropic folks, that's just marketing. (If they're reading this: let us into the program so I can be proven wrong here.)
I'm sure what they have is awesome, but it's clear that there are people out there with some decent prompts that are getting results out of widely available models as well.
The big thing we're sharing is: bulk scanning by random people in random geographies got a _lot_ better around January, it's widely distributed, and it's going to get a lot better regardless of whether that specific version of Mythos becomes widely available or not.
> prompts that are getting results out of widely available models as well.
Absolutely, and the "false-positive" issue people keep citing as why Mythos is so good is easily solved in the harness, simplest solution is starting fresh context with another prompt to evaluate if it's a false-positive or not, just adding that drastically cuts down the rate.
Sorry for all caps, but for some reasons OSS licenses think this is the proper way to style this paragraph
MIT:
THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
BSD:
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
OSS maintainers don't owe anyone shit. Anyone who thinks fixing the bug is important is free to fix it and submit a patch.
Nobody really knows of course. However it is safe to assume they are not so stupid as to ignore what is happening in the other areas (at least some of them), and so they are running their own targeted scans and then trying to figure out how to make money (or whatever their goal is) by exploiting them. They are also using LLMs to try things on closed source that are more than a brute force attack, though I have no idea what those would be.
Software will eventually become "unmaintainable due to lack of interest", because of this very thing. People not invested in this are not "in peril" in any way.
A lot of people are invested without realizing it. I'm typing this on a computer running linux, with all the standard services/software. I maintain one OSS project (icecc - we have always said only run on trusted networks. I'm sure there are a lot of issues in our code but nobody has bothered run a scan yet to my knowledge), but I don't pay attention to everything. I'm sure there are known easy to exploit (with a LLM) issues on this computer just because my distro hasn't updated yet. (I need a better distro, but even the most up to date will constantly have these issues)
What you just described may be accurate. But it also is the essence of a "trap".
My comment about investment was more to that point.
If software "is a trap", even my ever-computing loving wrote first programs on an Apple II in the 80s will only be as you sort of describe invested in by reference (minimal usage).
But no-one will sign up for a "trap" as a career, and only those who do will deal with its problems. The first thing that comes to mind is "Johns", "Hotels", and the trappings of the sex trade.
In theory, nothing.
In practice, it's in our long term interest that bad things don't happen to them.
How sustainable all of this is, I have my doubts?