Opus 4.6 uncovers 500 zero-day flaws in open-source code

132 points by speckx 3 hours ago

The system card unfortunately only refers to this [0] blog post and doesn't go into any more detail. In the blog post Anthropic researchers claim: "So far, we've found and validated more than 500 high-severity vulnerabilities".

The three examples given include two Buffer Overflows which could very well be cherrypicked. It's hard to evaluate if these vulns are actually "hard to find". I'd be interested to see the full list of CVEs and CVSS ratings to actually get an idea how good these findings are.

Given the bogus claims [1] around GenAI and security, we should be very skeptical around these news.

[0] https://red.anthropic.com/2026/zero-days/

[1] https://doublepulsar.com/cyberslop-meet-the-new-threat-actor...

tptacek - 2 hours ago

I know some of the people involved here, and the general chatter around LLM-guided vulnerability discovery, and I am not at all skeptical about this.
- - 2 hours ago
  
  [deleted]
- malfist - 2 hours ago
  
  [flagged]
  - catoc - 2 hours ago
    
    It does if the person making the statement has a track record, proven expertise on the topic - and in this case… it actually may mean something to other people
    
    shimman - 2 hours ago
    
    Yes, as we all know that unsourced unsubstantiated statements are the best way to verify claims regarding engineering practices. Especially when said person has a financial stake in the outcomes of said claims.
    No conflict of interest here at all!
    
    tptacek - 2 hours ago
    
    I have zero financial stake in Anthropic and more broadly my career is more threatened by LLM-assisted vulnerability research (something I do not personally do serious work on) than it is aided by it, but I understand that the first principal component of casual skepticism on HN is "must be a conflict of interest".
    
    godelski - 11 minutes ago
    
    > but I understand that the first principal component of casual skepticism on HN is "must be a conflict of interest".
    I think the first principle should be "don't trust random person on the internet"
    (But if you think Tom is random, look at his profile. First link, not second)
    
    malfist - an hour ago
    
    You still haven't answered why I should care that you, a stranger on the internet, believes some unsubstantiated hearsay?
    
    wtallis - an hour ago
    
    Take a look at https://news.ycombinator.com/leaders
    The user you're suspicious of is pretty well-known in this community.
    
    godelski - 8 minutes ago
    
    Someone's credibility cannot be determined by their point counts. Holy fuck is that not a way to evaluate someone in the slightest. Points don't matter.
    Instead look at their profile...
    Points != creds. Creds == creds.
    Don't be fucking lazy and rely on points, especially when they link their identity.