*Is there a finite supply of bugs, or is there an AI-Lovecraftian, vast, unexplored design-space of bugs and bug-like hacks

*The "attack surface," is it a surface like downtown Manhattan real-estate, or is it a surface like a Mandelbrot Set printed on a Moebius loop

April 08, 2026 - 06:18 UTC

3
3
58
In the real world we're also talking about moving up and down abstraction layers of the composed system. Behavior than is benign on a web server and load balancer individually becomes an HTTP smugglers vuln when deployed together.
1
0
2
So it's cool that Mythos is good at finding bugs when the entire scope is legible in a codebase, but how do we get it to reason about deployed applications where there isn't a legible representation of the behavior?
1
0
1
i imagine there is a finite amount of possible bugs but that amount is greater than the amount of working code it would be possible to ever generate
1
0
1
the possible number of wrong answers for a question is the total information content of the universe minus the finite number of correct answers maybe. so it's still finite i think
1
0
0
for what it's worth, the vulnerabilities described in the Mythos article that it found and exploited were of usual kinds. There are no mysterious move 37s.
If AI discovers a new class of vulnerability that affects code patterns we strongly thought were safe then I'll panic.
2
0
13
One thing to keep in mind is that making an exploit to take advantage of a vulnerability is often much harder than understanding the vulnerability. Defenders don't need a working exploit in order to recognize that code allowing out-of-bounds writes is a vulnerability that's likely exploitable.
1
0
11
Would we understand it if it did, or would it look like nonsense and so we'd dismiss the summary report?
1
0
2