What about the price? [LWN.net]

What about the price?

Posted Apr 22, 2026 13:00 UTC (Wed) by antacon (subscriber, #138885)
Parent article: Firefox: The zero-days are numbered

The tool sounds powerful and capable. But how much will Anthropic charge for it's use? And is the environmental plus ethical cost of hoovering all the data justified? On the one hand many platforms and apps will be more secure but something tells me this won't be free like Let's Encrypt mission of HTTPS everywhere or the invention of modern encryption algorithms.

to post comments

What about the price?

Posted Apr 22, 2026 14:32 UTC (Wed) by anselm (subscriber, #2796) [Link] (2 responses)

Also we don't know how many false positives the model produces. It's great if they managed to find 271 actual security bugs, but if they had to weed those out from 27,100 claimed security bugs, that's perhaps not so great.

What about the price?

Posted Apr 24, 2026 12:29 UTC (Fri) by jmalcolm (subscriber, #8876) [Link] (1 responses)

> how many false positives the model produces

That is not how this is going to work.

1 - Identify a candidate vulnerability
2 - Verify the vulnerability
3 - Exploit the vulnerability

A CVE requires all three and the AI can do all three. But at a minimum, we would expect the first two.

We do not care about all the "potential vulnerabilities" the system may uncover. We only want to know about the ones that have been confirmed NOT to be false positives. Verification is much easier than identification. There is absolutely no reason to have an AI doing identification and then pushing the work of verification on to us.

What about the price?

Posted May 13, 2026 7:51 UTC (Wed) by daenzer (subscriber, #7050) [Link]

> 1 - Identify a candidate vulnerability
> 2 - Verify the vulnerability
> 3 - Exploit the vulnerability

There are false positives at all 3 steps, so your point remains unclear.

> There is absolutely no reason to have an AI doing identification and then pushing the work of verification on to us.

There's no substitute for human verification.

What about the price?

Posted Apr 23, 2026 1:48 UTC (Thu) by pabs (subscriber, #43278) [Link] (7 responses)

... and when are they going to stop gratis scanning of FOSS code?

What about the price?

Posted Apr 23, 2026 18:21 UTC (Thu) by rgmoore (✭ supporter ✭, #75) [Link] (6 responses)

I think the real question is whether the LLMs will continue to develop to the point they can find bugs that a top human researcher would never be able to find. If they do, we're going to be in for a very rough ride, because we're going to have to trust the tools to find stuff we can't understand. If they can't- if they max out finding things that a talented human could find given infinite patience- then we're already pretty much there. What's cutting edge now will be a commodity in a year or two, and projects will be able to achieve the same thing with their own local instance.

I also expect the LLM companies to keep providing support using their very best tools to a limited set of FOSS projects more or less indefinitely. Some of that will be because it's good PR. That isn't just because it looks public spirited, but also because they can show all the details in a way they can't really do with proprietary code. Of course they'll choose projects they use themselves so they get the security benefit.

What about the price?

Posted Apr 24, 2026 4:20 UTC (Fri) by cypherpunks2 (guest, #152408) [Link] (4 responses)

>I think the real question is whether the LLMs will continue to develop to the point they can find bugs that a top human researcher would never be able to find. If they do, we're going to be in for a very rough ride, because we're going to have to trust the tools to find stuff we can't understand.

I don't think that's a concern. Just because we could never find a particular bug doesn't mean the bug defies human comprehension. We aren't going to find an LLM pull noncausality out of its hat to flip a bit.

>If they can't- if they max out finding things that a talented human could find given infinite patience- then we're already pretty much there.

A talented human, with truly infinite patience (and time), could just formally verify everything. It's just obscenely impractical for anything bigger than a microkernel. Perhaps one day, LLMs will be able to do the heavy lifting regarding formal verification. At that point, the only bugs remaining will be hardware bugs, and formal verification can even be done on the RTL level (and is for some things; Intel famously formally verified their FPU implementation after the FDIV bug).

Specs (and proof checkers) can have bugs too!

Posted Apr 25, 2026 2:17 UTC (Sat) by DemiMarie (subscriber, #164188) [Link] (3 responses)

Formal verification checks that your code meets your spec. It doesn’t check that your spec matches your intent.

Also, proof checkers can have bugs too, including ones allowing false proofs.

Specs (and proof checkers) can have bugs too!

Posted Apr 26, 2026 4:52 UTC (Sun) by cypherpunks2 (guest, #152408) [Link] (1 responses)

> Formal verification checks that your code meets your spec. It doesn’t check that your spec matches your intent.

That's true, but those kinds of mistakes wouldn't be considered a software bug than an LLM would find anyway.

Specs (and proof checkers) can have bugs too!

Posted Apr 27, 2026 9:17 UTC (Mon) by farnz (subscriber, #17727) [Link]

The thing that makes LLM-based security analysers interesting is that they're good at finding what amount to "bugs in the specification", where it's implausible that the human intended something that they wrote.

This is in contrast to formal verification, where an error in the spec results in verification passing, but the software not functioning as intended. An LLM looking at your code will do the equivalent of "there's no plausible sequence of tokens that would represent a specification for this code that a human would write", where a formal verifier does not look to see if the specification is plausibly human written.

Specs (and proof checkers) can have bugs too!

Posted Apr 26, 2026 10:33 UTC (Sun) by jch (guest, #51929) [Link]

> Also, proof checkers can have bugs too, including ones allowing false proofs.

I'm not a specialist, but from what I've gathered, at least Rocq is able to produce a proof in a core language (the logic with no syntactic sugar). There is then a second program, the proof verifier, that checks the proof. The verifier is as simple as possible and has been written independently of the proof assistant, so it's fairly improbable that both the proof assistant and the verifier have the same bug.

Again, this is just what I've gathered from conversations with specialists, but as far as I know most bugs turn out to be in the extraction module (the code that takes a Rocq proof and produces an executable program).

What about the price?

Posted Apr 24, 2026 19:06 UTC (Fri) by fraetor (subscriber, #161147) [Link]

> I think the real question is whether the LLMs will continue to develop to the point they can find bugs that a top human researcher would never be able to find. If they do, we're going to be in for a very rough ride, because we're going to have to trust the tools to find stuff we can't understand.

This is addressed somewhat at the bottom of the article, where they note that all of the bugs discovered *could* have been discovered by humans, because the Firefox source is designed to be understood by humans:

> Encouragingly, we also haven’t seen any bugs that couldn’t have been found by an elite human researcher. Some commentators predict that future AI models will unearth entirely new forms of vulnerabilities that defy our current comprehension, but we don’t think so. Software like Firefox is designed in a modular way for humans to be able to reason about its correctness. It is complex, but not arbitrarily complex.