depthfirst

75 posts

depthfirst banner
depthfirst

depthfirst

@depthfirstlabs

Autonomous Security From Design To Production

San Francisco Katılım Nisan 2025
28 Takip Edilen843 Takipçiler
depthfirst retweetledi
FFmpeg
FFmpeg@FFmpeg·
Recently, @depthfirstlabs with AI found 21 security issues. Legit, credit where it's due, some of them were serious. Whilst disclosure is nice, and some fixes were even sent out, like with the Mythos-found issues, the best would have been to avoid having the issues altogether.
English
30
48
2.4K
233.9K
depthfirst retweetledi
QM
QM@qasimmith·
Recent developments have shown us why defenders should avoid becoming too dependent on any single model or provider. Security teams need critical capabilities to remain reliable, available, and consistent as models, policies, providers, and access change. That belief has shaped how we built @depthfirstlabs: use the best models available, including our own, but do not depend on any one of them. More in my article:
QM@qasimmith

x.com/i/article/2066…

English
7
13
112
798.2K
depthfirst
depthfirst@depthfirstlabs·
Thank you @LowLevelTweets for covering our work on FFmpeg! Find the full video and the technical writeup through the links in the comments.
English
5
4
32
310.2K
depthfirst retweetledi
depthfirst
depthfirst@depthfirstlabs·
@FFmpeg Thank you @FFmpeg. That's why we launched ODI, a $5m commitment to help maintainers of critical OSS projects use depthfirst to find, triage, and remediate vulnerabilities in their code and PRs. We’d love to give you access. More info here: depthfirst.com/open-defense
English
5
7
192
20.5K
depthfirst retweetledi
Zhenpeng (Leo) Lin
Zhenpeng (Leo) Lin@Markak_·
Big fan of the work Calif is doing so happy to add some color here. I like the idea behind ngxray, but it can also be misleading. It's a pure syntax matching which will never work well on semantically rich languages. e.g. the following would be completely missed: location / { rewrite ^/(.*)$ /m/$1?x=1; rewrite ^/no/(.*)$ /q/$1; rewrite ^/m/(.*)$ /n/$1$host; # real sink: overflows, never evaluated } I'm happy to see healthy technical discussion, but I don't think the claim that "nginx-rift" affects only 1 public nginx config is accurate. In an enterprise environment, you never know how developers will write their configs. In private chats, we have been made aware of multiple enterprises having this issue. By the way, we also have full-chain nginx 0-day with ASLR bypassed, but we won't publicly market it until it's fully fixed.
Calif@calif_io

We'd love to be proven wrong here. As a red team, few things are more exciting than a reliable nginx RCE. For some context: we discovered at least two nginx 0-days and successfully weaponized one into a full RCE, bypassing ASLR with no external dependencies. We were thrilled, until we realized both bugs appear to require highly unusual nginx configs that we've yet to encounter in the wild. That's why we built ngxray: github.com/califio/ngxray. After analyzing 35,000+ nginx configurations from GitHub, we found exactly one instance vulnerable to nginx-rift, in an abandoned project. We found none vulnerable to nginx-poolslip. Users should absolutely patch. But from a red team perspective, these exploits have been worthless. We've never encountered a target where they'd have been useful. If anyone has evidence that these configs are common in real-world deployments, we'd like to see it. Everybody wants their five minutes of Twitter fame. That's fine. But extraordinary claims still require extraordinary evidence.

English
2
6
55
9.9K
The Hacker News
The Hacker News@TheHackersNews·
🔥 AI just found 21 zero-days in FFmpeg. That’s the video library bundled inside many apps, tools, containers, and devices. Some bugs sat untouched for 15–20 years. Google Chrome also dropped PATCHES for a record 429 vulnerabilities this week. Read: thehackernews.com/2026/06/ai-age…
English
13
115
350
33.3K
depthfirst retweetledi
Zhenpeng (Leo) Lin
Zhenpeng (Leo) Lin@Markak_·
We helped FFmpeg find and fix 21 security vulnerabilities. In a 1.5M-line codebase, we spent just $1K in API costs. Some of these bugs had been hiding for decades. We also developed a PoC demonstrating an RCE primitive when FFmpeg processes RTSP streams. Full write-up: depthfirst.com/research/21-ze…
English
5
67
378
339.2K
Martin Shkreli
Martin Shkreli@MartinShkreli·
what are the most cybersecurity-friendly models for identifying vulnerabilities right now? mythos isn't accessible, chatgpt cyber still refuses. what's out there that isn't a wimp?
English
170
11
585
118.3K
depthfirst retweetledi
QM
QM@qasimmith·
AI agents are enabling every team to build useful software. This is incredibly exciting, but it also means the attack surface is changing. We recently learned that our adversaries are already using frontier models to create malware and exploit vulnerabilities. To address this, today we’re launching the depthfirst Dependency Firewall to find and block malware in supply chain dependencies before they’re installed. It uses the same engine that discovered NGINX Rift, now optimized to detect malware in open-source packages. We want companies to move faster with AI, without compromising security. Above all, @depthfirstlabs is a mission driven organization. This is another step towards achieving our mission of securing the world's software, an increasingly urgent need as artificial intelligence accelerates how software is built, deployed and attacked.
QM tweet media
English
20
32
333
1.7M
depthfirst
depthfirst@depthfirstlabs·
@aussiExau @qasimmith Thanks for the support @aussiExau - you'd help a lot if you could repost this to spread the word! x.com/qasimmith/stat…
QM@qasimmith

Today we're launching the Open Defense Initiative: up to $5 million in @depthfirstlabs credits for critical open source projects to find and fix real, exploitable vulnerabilities. The timing matters: frontier models can autonomously discover and exploit vulnerabilities in widely-reviewed codebases. Open source models will catch up soon, and when they do, bad actors will have unfiltered access to these capabilities. We have a narrow window to harden critical software before that happens. This is the time to act, but until today frontier-level security, like what Mythos offers, has been reserved for a handful of large companies who are required to pay a lot for access. depthfirst is not only comparable in performance but also goes significantly beyond surface level findings, highlighting real, exploitable vulnerabilities due to its understanding of the system’s context and ability to verify like an attacker would. depthfirst found vulnerabilities in FFmpeg that Mythos missed, at a tenth of Anthropic's self reported spend. We want every defender to have these capabilities, starting with the open source projects the world runs on. If you maintain a critical open source project, apply for Open Defense credits through the form in the comments.

English
0
0
1
33
depthfirst
depthfirst@depthfirstlabs·
@Forbes Thank you @Forbes for the coverage! We want to give all defenders access to frontier-level security and you're helping us broader our reach.
English
0
1
4
246
Forbes
Forbes@Forbes·
This Startup’s AI Found Critical Vulnerabilities That Anthropic’s Mythos Missed forbes.com/sites/thomasbr… (Photo: Depthfirst)
Forbes tweet media
English
9
16
73
124.7K