Top 3Themes in the Discussion
| Theme | Key Takeaway | Representative Quote |
|---|---|---|
| 1️⃣ Discovery ≠ Exploitation | LLMs can surface vulnerabilities, but turning a bug into a reliable exploit still demands deep OS‑level expertise that many consider uniquely human. | “But finding a bug and exploiting it are very different things. Exploit development requires understanding OS internals, crafting ROP chains, managing memory layouts, debugging crashes, and adapting when things go wrong. This has long been considered the frontier that only humans can cross.” — magicalhippo |
| 2️⃣ Claude’s Concrete Role in CVE Creation | The community points to actual prompt histories where Claude was used to find the bug and generate the write‑up that became a CVE, showing the model’s direct involvement in the security process. | “Claude was used to find the bug in the first place though. That CVE write‑up happened because of Claude, so while there are some very talented humans in the loop, Claude is quite involved with the whole process.” — fragmede |
| 3️⃣ Emerging Feasibility of Automated Exploit Workflows | Recent experiments demonstrate that LLMs can be hooked into fuzzing loops or test‑generation pipelines, letting them churn out candidate exploits with minimal human supervision. | “you can let agent churn unattended if you have some sort of known goal. Write a test that should not pass and then tell the agent to come up with something that passes the test without changing the test itself. For this kind of fuzzing llms are not bad.” — Cloudef |
All quotations are taken verbatim from the discussion and attributed to the respective users.