{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreic2xifpxyipo7ldrxsz7yade56d4kwrfuhlyxuwcnq4wda445e56q",
    "uri": "at://did:plc:hqad6xwuzg7oqfmwylfkvqfm/app.bsky.feed.post/3mgt57rv7boi2"
  },
  "path": "/viewtopic.php?t=33234&p=271028#p271028",
  "publishedAt": "2026-03-11T23:13:50.000Z",
  "site": "http://forum.palemoon.org",
  "textContent": "I haven't read the article but these headlines are not to be trusted without actually reading the reports...\nFor example, if I do something like this C code snippet:\n\nCODE:\n\n\n    char *dup = nullptr;if (a_string && length > 0 && length < 30) { dup = strdup(a_string);}\n\nA non-trivial amount of \"checkers\" will report a security bug because strdup is commonly associated with unbounded memory reading which can be easily exploited.\nBut, anyone reading the code will notice that strup is called only a block that's well guarded and cannot be exploited, effectively making the automated security report invalid.\n\nThis example is artificial and an example, but the cURL project (you know, the most used tool to make HTTP requests) routinely received this kind of reports (i.e., invalid security issues caused by the _presence_ of a function, irrespective of its _usage_) to the point they closed their bug bounty program.\n\nIf the over 100 bugs are the same nature, and when investigated they turn out to be invalid, the headline is just marketing.\n\n* * *",
  "title": "General Discussion • Re: Mozilla: Claude uncovered over 100 Firefox bugs + high-severity flaws in 2 weeks",
  "updatedAt": "2026-03-11T23:13:50.000Z"
}