What about the price? [LWN.net]

What about the price?

Posted Apr 23, 2026 1:48 UTC (Thu) by pabs (subscriber, #43278)
In reply to: What about the price? by antacon
Parent article: Firefox: The zero-days are numbered

... and when are they going to stop gratis scanning of FOSS code?

to post comments

What about the price?

Posted Apr 23, 2026 18:21 UTC (Thu) by rgmoore (✭ supporter ✭, #75) [Link] (6 responses)

I think the real question is whether the LLMs will continue to develop to the point they can find bugs that a top human researcher would never be able to find. If they do, we're going to be in for a very rough ride, because we're going to have to trust the tools to find stuff we can't understand. If they can't- if they max out finding things that a talented human could find given infinite patience- then we're already pretty much there. What's cutting edge now will be a commodity in a year or two, and projects will be able to achieve the same thing with their own local instance.

I also expect the LLM companies to keep providing support using their very best tools to a limited set of FOSS projects more or less indefinitely. Some of that will be because it's good PR. That isn't just because it looks public spirited, but also because they can show all the details in a way they can't really do with proprietary code. Of course they'll choose projects they use themselves so they get the security benefit.

What about the price?

Posted Apr 24, 2026 4:20 UTC (Fri) by cypherpunks2 (guest, #152408) [Link] (4 responses)

>I think the real question is whether the LLMs will continue to develop to the point they can find bugs that a top human researcher would never be able to find. If they do, we're going to be in for a very rough ride, because we're going to have to trust the tools to find stuff we can't understand.

I don't think that's a concern. Just because we could never find a particular bug doesn't mean the bug defies human comprehension. We aren't going to find an LLM pull noncausality out of its hat to flip a bit.

>If they can't- if they max out finding things that a talented human could find given infinite patience- then we're already pretty much there.

A talented human, with truly infinite patience (and time), could just formally verify everything. It's just obscenely impractical for anything bigger than a microkernel. Perhaps one day, LLMs will be able to do the heavy lifting regarding formal verification. At that point, the only bugs remaining will be hardware bugs, and formal verification can even be done on the RTL level (and is for some things; Intel famously formally verified their FPU implementation after the FDIV bug).

Specs (and proof checkers) can have bugs too!

Posted Apr 25, 2026 2:17 UTC (Sat) by DemiMarie (subscriber, #164188) [Link] (3 responses)

Formal verification checks that your code meets your spec. It doesn’t check that your spec matches your intent.

Also, proof checkers can have bugs too, including ones allowing false proofs.

Specs (and proof checkers) can have bugs too!

Posted Apr 26, 2026 4:52 UTC (Sun) by cypherpunks2 (guest, #152408) [Link] (1 responses)

> Formal verification checks that your code meets your spec. It doesn’t check that your spec matches your intent.

That's true, but those kinds of mistakes wouldn't be considered a software bug than an LLM would find anyway.

Specs (and proof checkers) can have bugs too!

Posted Apr 27, 2026 9:17 UTC (Mon) by farnz (subscriber, #17727) [Link]

The thing that makes LLM-based security analysers interesting is that they're good at finding what amount to "bugs in the specification", where it's implausible that the human intended something that they wrote.

This is in contrast to formal verification, where an error in the spec results in verification passing, but the software not functioning as intended. An LLM looking at your code will do the equivalent of "there's no plausible sequence of tokens that would represent a specification for this code that a human would write", where a formal verifier does not look to see if the specification is plausibly human written.

Specs (and proof checkers) can have bugs too!

Posted Apr 26, 2026 10:33 UTC (Sun) by jch (guest, #51929) [Link]

> Also, proof checkers can have bugs too, including ones allowing false proofs.

I'm not a specialist, but from what I've gathered, at least Rocq is able to produce a proof in a core language (the logic with no syntactic sugar). There is then a second program, the proof verifier, that checks the proof. The verifier is as simple as possible and has been written independently of the proof assistant, so it's fairly improbable that both the proof assistant and the verifier have the same bug.

Again, this is just what I've gathered from conversations with specialists, but as far as I know most bugs turn out to be in the extraction module (the code that takes a Rocq proof and produces an executable program).

What about the price?

Posted Apr 24, 2026 19:06 UTC (Fri) by fraetor (subscriber, #161147) [Link]

> I think the real question is whether the LLMs will continue to develop to the point they can find bugs that a top human researcher would never be able to find. If they do, we're going to be in for a very rough ride, because we're going to have to trust the tools to find stuff we can't understand.

This is addressed somewhat at the bottom of the article, where they note that all of the bugs discovered *could* have been discovered by humans, because the Firefox source is designed to be understood by humans:

> Encouragingly, we also haven’t seen any bugs that couldn’t have been found by an elite human researcher. Some commentators predict that future AI models will unearth entirely new forms of vulnerabilities that defy our current comprehension, but we don’t think so. Software like Firefox is designed in a modular way for humans to be able to reason about its correctness. It is complex, but not arbitrarily complex.