…and a lot of the “security issues” being found by LLMs are not viable attack vectors. For example: in the case of rsync they just terminate a connection with no server-side effect.
Of course, there’s that as well. And self-appointed “security researchers” auto-scanning repos and creating tool-submitted issues about “vulnerabilities”, wasting dev time.
“Coding assistants” have to be considered what is the most likely intent: a large-scale attack of megacorporations on the open source community, and the gullible people who use them should be treated as agents of a hostile corporation.
…and a lot of the “security issues” being found by LLMs are not viable attack vectors. For example: in the case of rsync they just terminate a connection with no server-side effect.
Of course, there’s that as well. And self-appointed “security researchers” auto-scanning repos and creating tool-submitted issues about “vulnerabilities”, wasting dev time.
“Coding assistants” have to be considered what is the most likely intent: a large-scale attack of megacorporations on the open source community, and the gullible people who use them should be treated as agents of a hostile corporation.