story
This isn't a complete rebuttal to your argument but I'll note with irony that we're commenting on a thread about a FreeBSD kernel remote that Claude both found and wrote a reliable exploit for (though people will come out of the woodwork to say that reliable exploitation of FreeBSD kernel remotes isn't much of a flex).
Here, from the exact tranche of vulnerabilities you're saying was just a "grep for strcat", are the Firefox findings:
https://www.mozilla.org/en-US/security/advisories/mfsa2026-1...
We're getting to a point, like we did with coding agents last year, where you can just say "I believe my lying eyes". Check out a repository and do Carlini's "foreach FILE in $(sourcefiles); <run claude -p and just ask for zero days starting from that file>". I did last night, and my current dilemma is how obligated I am to report findings.
We're getting a point where anecdotes are being used in place of reason. I'd think you want to ask "how many bug bounties are earned by humans vs AI assistants?" If there's money to be made in finding 0-days then shouldn't there be ample evidence of this?
Which is why I'm confused. A limited number of particular people say there's this giant sea change. I cannot find any hard evidence that's true.
If anthropic blog was trying to _sell me_ on their service they failed miserably. So I guess my assumption can, at least, safely be, they have no idea how to market their own product.
