> So they already have a good bootstrapped amount & I feel as if qcontinuum is interested they can maybe implement the idea?

We might to it once. That requires non-trivial engineering effort and resources and we are at the moment short on both of those.

▲

Imustaskforhelp 3 hours ago | parent [-]

My point was to have a community effort around it as well if possible and people could say, upload suspicion and people could then confirm it?

I am curious but wouldn't this effort be more better if more people outside who are interested in investing their own resources for the safety of a better internet could help you out in such endeavour? So essentially they can also help you out in such task essentially creating an open source-ish committee/list which can decide it.

I do feel like if resources are something in short, then actually doing such would be even more beneficial, right? What are your thoughts on it?

(Tangent if you actually do this: This might become a cat and mouse game if the person with malicious extension say reads the github repo and if they see their extension in it before people can conclude its malicious, making the cat and mouse game but I am imagining a github action which can calculate the hash and download link and everything (essentially archiving) a state of extension and then people can get freed from the game and everything as well. So this might help a lot in future if you actually implement it)

▲

qcontinuum1 2 hours ago | parent [-]

It is a noble idea to have a community driven effort in security research. We are sceptical that would work. The same way security researchers will read this thread in future bad actors (e.g. Similarweb) can read as well.

Any tool that would be open sourced or community driven for extension scanning will be with enough time used by bad actors to evade the scans. That is also why we don't share the code for this research as it would only speed up this process.

	▲	Imustaskforhelp 2 hours ago \| parent [-]
		Oh I understand. I don't have any expertise in such field but reading this, I can understand why open source approach might not work out which is a little sad being honest. But I feel like then the (bottleneck?) [which I don't mean in a bad way] would be the team where the attackers might still be infinitely more which can exhaust your resources which you mention as such. Also,Are there any other teams working in this? Thoughts on collaborating with anyone in the security field? Maybe if a direct detailed discussion can't happen then just as how you released the list of these extensions, you can release extensions in future too as you detect them Do you feel as if LLM generated vibe-coded (with some basic reading of code to just get idea and see if there's any bad issues) would be more safer than a random extension in firefox/chrome in general? Given one is a black box (closed source) generated by human and the other is an open code generated by a black box.