Putting on my tinfoil-hat: Sooo, the guy who runs the test and delivers the report could just have removed the more interesting bugs and delivered those to any three letter agency?

▲

casey2 2 hours ago | parent | next [-]

curl's source is public so what would be the gain in the rigmarole? Now if the prompt was "create a patch that inserts a zero-day while fixing a bug" that would be impressive.

▲

bilekas 4 hours ago | parent | prev [-]

[flagged]

▲

AnssiH 3 hours ago | parent | next [-]

The test was run by an unnamed third party, so cURL's history has no relevance to their benevolence.

▲

Ekaros 4 hours ago | parent | prev | next [-]

Curl is likely one of the very much more combed over pieces of code at this point. It feels like it has some special draw for people looking for vulnerabilities. Not that it doesn't mean some novel idea can't be looked or checked still.

▲

cakealert 4 hours ago | parent | prev [-]

> No, based on cURL's history, it really seems like they would love to have found a really novel bug.

You just confirmed that you didn't read the article.

"Eventually, I was instead offered that someone else, who has access to the model, could run a scan and analysis on curl for me using Mythos and send me a report."

▲

bilekas 3 hours ago | parent [-]

I'm not sure how that proves I didn't read the article ?

	▲	croon 2 hours ago \| parent [-]
		Someone external to the curl team ran the test. If that third party found a severe CVE that they could use across all the global curl attack surface, and did not disclose it back to the curl team, the third party could keep using the exploit until discovered independently.