> Claude was used to find the bug in the first place though. That CVE write-up happened because of Claude

Do you have a link to that? A rather important piece of context.

Wasn't trying to downplay this submission the way, the main point still stands:

But finding a bug and exploiting it are very different things. Exploit development requires understanding OS internals, crafting ROP chains, managing memory layouts, debugging crashes, and adapting when things go wrong. This has long been considered the frontier that only humans can cross.

Each new AI capability is usually met with “AI can do Y, but only humans can do X.” Well, for X = exploit development, that line just moved.

▲

jsnell 3 hours ago | parent | next [-]

> Do you have a link to that? A rather important piece of context.

It was a quote from your own link from the initial post?

https://www.freebsd.org/security/advisories/FreeBSD-SA-26:08...

> Credits: Nicholas Carlini using Claude, Anthropic

▲

magicalhippo 3 hours ago | parent [-]

Oh wow, blind as a bat.

Would have been interesting with a write-up of that, to see just what Claude was used for.

	▲	jsnell an hour ago \| parent [-]
		Obviously no guarantees that it's exactly what was done in this case, but he talked about his general process recently at a conference and more in depth in a podcast: https://www.youtube.com/watch?v=1sd26pWhfmg https://securitycryptographywhatever.com/2026/03/25/ai-bug-f... It pretty much is just "Claude find me an exploitable 0-day" in a loop.

▲

xorgun 3 hours ago | parent | prev [-]

[dead]