Opus 4.6 uncovers 500 zero-day flaws in open-source code

Posted by speckx 1 day ago

Opus 4.6 uncovers 500 zero-day flaws in open-source code(www.axios.com)

209 points | 140 commentspage 3

moribvndvs 1 day ago|

My dependabot queue is going to explode the next few days.

zhengyi13 1 day ago||

I feel like Daniel @ curl might have opinions on this.

Legend2440 1 day ago|

You’re right, he does: https://daniel.haxx.se/blog/2025/10/10/a-new-breed-of-analyz...

Curl fully supports the use of AI tools by legitimate security researchers to catch bugs, and they have fixed dozens caught in this way. It’s just idiots submitting bugs they don’t understand that’s a problem.

ChrisArchitect 1 day ago||

Earlier source: https://red.anthropic.com/2026/zero-days/ (https://news.ycombinator.com/item?id=46902374)

fred_is_fred 1 day ago||

Is the word zero-day here superfluous? If they were previously unknown doesn't that make them zero-day by definition?

jfyi 1 day ago||

I think it's a fairly common trope in communication to explain in simple terms any language that the wider part of an audience doesn't understand.

tptacek 1 day ago|||

It's a term of art. In print media, the connotation is "vulnerabilities embedded into shipping software", as opposed to things like misconfigurations.

limagnolia 1 day ago|||

I though zero-day meant actively being exploited in the wild before a patch is available?

rcxdude 1 day ago||

Zero day means that there is zero days between a patch being available and the vulnerability being disclosed (as opposed to the patch being available before disclosure).

Dylan16807 1 day ago||

Discovering a zero day implies that there is no patch, but the term is talking about how long the vendor has known about the vulnerability.

bink 1 day ago||

Yes. As a security researcher this always annoys me.

almosthere 1 day ago||

I've mentioned previously somewhere that the languages we choose to write in will matter less for many arguments. When it comes to insecure C vs Rust, LLMs will eventually level out the playing field.

I'm not arguing we all go back to C - but companies that have large codebases in it, the guys screaming "RUST REWRITE" can be quieted and instead of making that large investment, the C codebase may continue. Not saying this is a GOOD thing, but just a thing that may happen.

LoganDark 1 day ago||

I'm disappointed to see this article pine on about how excited they are for their models to help open-source projects find and fix their vulnerabilities, only to then say they're implementing measures to prevent it, just because attackers might use it.

At that point the article becomes "neener neener we can use our model to find vulnerabilities but you can't" which is just frustrating. Nothing's changed, then.

(Also, in a theoretical case, I wouldn't reasonably be able to use their model to find my own vulnerabilities before an attacker does, because they're far more invested and motivated to bypass those censors than I would be.)

ath3nd 1 day ago||

[dead]

somalihoaxes 1 day ago|

[flagged]