Stated differently -- the way OSS software is currently maintained and users are conditioned to behave, there is a capacity problem if the rate of discovery surges too sharply.
And if the capacity is overshot (which I believe is happening as we speak), users end up in extended states of being insecure.
I'm also one of the unwashed rabble who believes there is a large practical difference between a vulnerability that exists but isn't found and one that is widely known and exploitable.
Thankfully we've historically had a fair amount of attention (and investment in our security) by both customers, our oss users and people our ecosystem.
The interesting thing is that the business model seems to have changed. Why collect a 10k bounty when you can advertise a 3k/month scanner?
In theory, the vulnerability was always there, and it's better to find out than not find out.
In practice, how much effort it is to find vulnerabilities matters a lot. We're in a time where things that used to be quite hard are now easy and the rate of discovery will change.
This rate of discovery matters a lot -- for OSS maintainer burnout if nothing else.
I dunno man ... I produced a few things that got a few github stars over the years.
At the risk of repeating myself -- this is targeted at other OSS maintainers, not random people who might have done a git pull of some random project a couple years ago.
With all respect to the Anthropic folks, that's just marketing. (If they're reading this: let us into the program so I can be proven wrong here.)
I'm sure what they have is awesome, but it's clear that there are people out there with some decent prompts that are getting results out of widely available models as well.
The big thing we're sharing is: bulk scanning by random people in random geographies got a _lot_ better around January, it's widely distributed, and it's going to get a lot better regardless of whether that specific version of Mythos becomes widely available or not.
I'm not sure that the benefit of many eyes helps here. So much of this bulk scanning is low-effort, and if you're a smart person developing closed source software you get the benefits of bulk scanning, but _at the time of your choosing_ .
OSS has always had tradeoffs and I sadly think this one is going straight to the "Cons" column. We still think the Pros outweigh the Cons, but this is NotGreat.
Metabase | https://metabase.com | REMOTE | Full-time | Backend, Frontend, Full Stack, and DevOps engineers
Metabase is open source analytics software that lets anyone in your company rummage around in the databases you have. It connects to a number of databases / data warehouses (BigQuery, Redshift, Snowflake, Postgres, MySQL, etc).
People kinda like the product (metabase.com/love). We're a remote team full of people who care about user experience, making complicated things as simple as possible and building things. We have a deeply pragmatic engineering culture and value building things that people actually use vs whatever closes a deal or makes for a good press release.
Metabase | https://metabase.com | REMOTE | Full-time | Backend, Frontend, Full Stack, and DevOps engineers
We're hiring for multiple positions across the Engineering team (and in many other non-engineering roles).
Metabase is open source analytics software that makes it easy to ask questions of your data. It interfaces with a number of databases / data warehouses (BigQuery, Redshift, Snowflake, Postgres, MySQL, etc) and has a simple and powerful UI and UX that sits on top of it.
And if the capacity is overshot (which I believe is happening as we speak), users end up in extended states of being insecure.
I'm also one of the unwashed rabble who believes there is a large practical difference between a vulnerability that exists but isn't found and one that is widely known and exploitable.