Giulio C 🔥🌸 retweetledi
Some fields work in theory but not in practice. Some fields work in practice but not theory.
The uniqueness of economics is that it works in neither theory nor practice.
English
Giulio C 🔥🌸
54 posts
Giulio C 🔥🌸
@tunneleffext
I write kernel modules… in JavaScript
.pkpass Katılım Şubat 2012
446 Takip Edilen241 Takipçiler
@HaifeiLi @eternalsakura13 @thegrugq My guess is that AI tend to find always the same bugs. As a result Chrome VRP gets flooded with duplicate bug reports found by multiple people all using similar AI systems. Value of external bug reports goes down. Value of RCE does not
English
> Maybe now chrome RCE is only worth a small amount now
I think this is a mistake, if they believe so.
I believe Chrome RCEs essentially have the value, this isn’t about how many bugs you predict the codebase may have or some “buying/selling economics” — c’mon this is MBA logic! Chrome RCEs have the values is because Chrome has a *huge* user base, billions level, ppl around the world use it everyday to browse website. This is where the value sits.
Also, I don’t think AI can find all the bugs. If they believe so, they are over-confident.
If they have a AI slop problem, they can address that problem — there’s some ways like “reputation based submission process” like other vendors do, not cutting the ability to receive real bugs.
The only thing it would work is researchers continue to report RCEs to them no matter what, with like maximum $5000 bounty? I think the probability is not very high.
And this is Google, they are kinda risking their reputation if in-the-wild, APT attacks explodes for their product (remember Flash Player, IE? Everyone joked the vendors the years).
Really, if they really have a budget problem, they can cut prices one step first, see how it goes, then may cut again, not cutting once so dramatically. This doesn’t sound a mature, reputable, security-first big tech want to do.
Overall, this dramatic change might be a mistake, IMO, I could be wrong, but, well..:)
English
Well, I don’t participate in Google bug bounty programs so not sure about all the details but it seems to me (I read other comments) that they’re reducing bounties for Chrome and if so, this might be a big mistake. Chrome is such a critical browser (wait, what does that mean to other Chromium-based browsers like Microsoft Edge?), and won the trust from billions users through their security-first strategy. Most importantly, and this is an easy fact — the bugs that are not interested by Google can easily go to “black markets” because the eg. RCE bugs essentially have the “value”. We will probably see more in-the-wild Chrome 0days, unfortunately..
Even, I don’t understand the “business logic” behind this decision. I checked and last year Google paid out like 17M for all bug bounties across all their programs (including the clouds). That sounds a big number at the first glance but not really compared to Google’s massive revenue. Even Google has financial pressure internally? Overspent on AI? Maybe, but security is probably the last thing you want to cut. Their business is still strong, stock ATH, so you definitely need to invest on security to keep your business being protected.
IMHO, my quick thoughts, take it easy.:)
Google VRP (Google Bug Hunters)@GoogleVRP
📣📢 Calling all Android and Chrome bug hunters 🧑💻🔎! We're updating our Android & Chrome VRP programs to ensure we can continue to reward the most challenging and impactful vulnerabilities researchers find in our products. For details, 👇 bughunters.google.com/blog/evolving-…
English
@HaifeiLi all of the first 4 options can be reframed as:
We don’t want to spend engineering effort in triaging external bug reports (which were 90% false positive anyways) when they’re nowadays mostly AI generated reports that we can get ourselves
English
What could be the real reason behind the dramatic decision on Chrome bug bounty?
(I’m just being curious,😅 especially while studying the impact of AI on vulnerability discovery)
1. We can use AI to find all/most the bugs so we don’t need external help anymore. Chrome security stay the same or beyond.
2. We got so many AI slopping reports through the bounty program which cost our engineers great time, we reduced the prices dramatically so nobody will be even interested in sending AI slops!
3. We will shift the bug hunting work to internal teams. Chrome security stay the same or beyond.
4. Unfortunately we miscalculated previously, the volume of bugs surpassed our expectation and our budget is broken, so we had to reduce the price per bug (even dramatically).
5. We don’t care Chrome security anymore, nobody can leave that because Chrome is a monopoly.😅 (no need to vote for this one)
6. Others, please specify?
Ref: x.com/loobeny/status…
English
has the economy trickled down yet ? 🤡
jack@jack
we're making @blocks smaller today. here's my note to the company. #### today we're making one of the hardest decisions in the history of our company: we're reducing our organization by nearly half, from over 10,000 people to just under 6,000. that means over 4,000 of you are being asked to leave or entering into consultation. i'll be straight about what's happening, why, and what it means for everyone. first off, if you're one of the people affected, you'll receive your salary for 20 weeks + 1 week per year of tenure, equity vested through the end of may, 6 months of health care, your corporate devices, and $5,000 to put toward whatever you need to help you in this transition (if you’re outside the U.S. you’ll receive similar support but exact details are going to vary based on local requirements). i want you to know that before anything else. everyone will be notified today, whether you're being asked to leave, entering consultation, or asked to stay. we're not making this decision because we're in trouble. our business is strong. gross profit continues to grow, we continue to serve more and more customers, and profitability is improving. but something has changed. we're already seeing that the intelligence tools we’re creating and using, paired with smaller and flatter teams, are enabling a new way of working which fundamentally changes what it means to build and run a company. and that's accelerating rapidly. i had two options: cut gradually over months or years as this shift plays out, or be honest about where we are and act on it now. i chose the latter. repeated rounds of cuts are destructive to morale, to focus, and to the trust that customers and shareholders place in our ability to lead. i'd rather take a hard, clear action now and build from a position we believe in than manage a slow reduction of people toward the same outcome. a smaller company also gives us the space to grow our business the right way, on our own terms, instead of constantly reacting to market pressures. a decision at this scale carries risk. but so does standing still. we've done a full review to determine the roles and people we require to reliably grow the business from here, and we've pressure-tested those decisions from multiple angles. i accept that we may have gotten some of them wrong, and we've built in flexibility to account for that, and do the right thing for our customers. we're not going to just disappear people from slack and email and pretend they were never here. communication channels will stay open through thursday evening (pacific) so everyone can say goodbye properly, and share whatever you wish. i'll also be hosting a live video session to thank everyone at 3:35pm pacific. i know doing it this way might feel awkward. i'd rather it feel awkward and human than efficient and cold. to those of you leaving…i’m grateful for you, and i’m sorry to put you through this. you built what this company is today. that's a fact that i'll honor forever. this decision is not a reflection of what you contributed. you will be a great contributor to any organization going forward. to those staying…i made this decision, and i'll own it. what i'm asking of you is to build with me. we're going to build this company with intelligence at the core of everything we do. how we work, how we create, how we serve our customers. our customers will feel this shift too, and we're going to help them navigate it: towards a future where they can build their own features directly, composed of our capabilities and served through our interfaces. that's what i'm focused on now. expect a note from me tomorrow. jack
English
@thedawgyg @_sehno_ Scudo is preventing you from crashing the target process? Usually scudo crashes when you hit a bug there
English
@_sehno_ no i havent been able to yet. Scudo is preventing me :/
English
Anyone have experience writing POC's for Mobile (Android) memory bugs (UAF/ DF) ? I provided a poc that shows crashing my own app, but they have requested a POC that is reachable in a system process, and i cant do it. #bugbounty #security
English
@freganmitts You're biased by the audience of your class. In Europe (especially southern europe) studying CS was never associated to higher salaries, and still, there's staggering unbalance of men/women in a CS classroom
English
the catch is that nobody actually likes STEM (I teach a lot of STEM students, trust me), people just go into it bc they think they can make easy money there. maybe men are more motivated by money.
vittorio@IterIntellectus
the "gender equality paradox" is not that much of a paradox when women are free, they choose feminine work it's not that complicated
English
My first successful trade… lol kidding.
But definitely my first sentimental trade — and I got 5x.
I love Spotify, but I haven’t seen any new products or AI implementation.
Have you?
English
@emme_emi pero' il frigorifero in casa ce l'hai anche tu, o sbaglio?
Italiano
La maggior parte delle critiche al capitalismo sono, a ben vedere, lamentele contro il secondo principio della termodinamica.
Italiano
@Samyak1729 Still missing the first part though. “From a single electron in a potential well, to the transistor”
English
AGI by 2027 is strikingly plausible.
That doesn’t require believing in sci-fi; it just requires believing in straight lines on a graph.
English
"We found out that, overall, the best choice for our case was Jackalope, a fuzzer developed by Google Project Zero which supports coverage-guided black box fuzzing without much overhead and comes with a grammar engine which is especially useful to fuzz our SSML/SAPI parser."❤️
Marco `wsx`@wsxarcher
Blogpost from me and @tunneleffext ! microsoftedge.github.io/edgevr/posts/E…
English
Giulio C 🔥🌸 retweetledi
New blog on escaping Chromium sandbox from JavaScript from @wsxarcher and @tunneleffext. microsoftedge.github.io/edgevr/posts/E…
English
@ergot86 A *good* developer is probably also using the skillset of a security researcher (while the opposite isn’t necessarily true). But in general the barrier to produce more or less functioning code is lower than doing VR
English
@ergot86 Writing software entails relying on someone else’s foundation. And building abstractions on top of that.
Because of this, a lot of developers ignore the details under the hood and introduce vulnerabilities. Doing VR necessarily involves investigating and debugging those details
English
@AlejandroPiad No contradiction at all. The “free market” condition is unstable, and tends to inequalities. With big inequality you have billionaires, whose presence hinders the free market (think about oligopolies and market concentration). You need to rebalance to keep free market condition
English
Here are two seemingly contradictory beliefs of mine that I cannot completely marry:
I believe free market and fair competition are crucial for innovation, but at the same time I believe billionaires have a net negative effect on worldwide happiness.
Where's the contradiction?
English