| ▲ | kingkilr 19 hours ago | |
[Work at Anthropic, used to work at Mozilla.] Firefox has never required a full chain exploit in order to consider something a vulnerability. A large proportion of disclosed Firefox vulnerabilities are vulnerabilities in the sandboxed process. If you look at Firefox's Security Severity Rating doc: https://wiki.mozilla.org/Security_Severity_Ratings/Client what you'll see is that vulnerabilities within the sandbox, and sandbox escapes, are both independently considered vulnerabilities. Chrome considers vulnerabilities in a similar manner. | ||
| ▲ | stuxf 19 hours ago | parent | next [-] | |
Makes sense, thank you! | ||
| ▲ | bell-cot 18 hours ago | parent | prev | next [-] | |
If only this attitude was more common. All security is, ultimately, multi-ply Swiss cheese and unknown unknowns. In that environment, patching holes in your cheese layers is a critical part of statistical quality control. | ||
| ▲ | lostmsu 10 hours ago | parent | prev [-] | |
Semi-on topic. When will Anthropic make decisions on Claude Max for OSS maintainers? I would like to run this on my projects and some of my high-profile dependencies, but there was no update on the application. | ||