General Discussion • Re: This might spawn THOUSANDS of vulnerabilities on Pale Moon (Or might not)

You might want to keep it realistic and not have such a clickbaity topic title. Examination of code, for starters, won't spawn any vulnerabilities in code - at most you might find them.

Yes, LLMs might find plenty of potential vulnerabilities in large and complex code like ours. That is no different than any human who might when just analysing the code. The real question is which of those potential vulnerabilities are actually real and exploitable? The problem with finding any code vulnerability is that it's generally very difficult to exploit something. Some things are low hanging fruit but almost all of it would be not feasible in practice unless you already have some pretty outlandish prerequisites fulfilled (making any solution defence-in-depth at most).

I've seen an uptick in Mozilla sec bugs in recent months because there has been more ai-assisted reporting done; did I see an uptick in things applying to Pale Moon? Not at all. This is because almost all of it has been finding things that could potentially be wrong in e10s and its messaging protocol, not actual core code otherwise. A lot of those "vulnerabilities" have a prerequisite of a compromised content process to even be considered security sensitive, because it relies on the messaging between processes being purposefully manipulated by a bad actor through a compromised content process. So you're already looking at a compromised process, an actor being somehow (which isn't specified) able to use that to send specific messages to the parent process which then results in a vulnerability. None of that is likely or even possible in many cases, but theoretically it's a vulnerability. e10s is an Achilles' heel, of course, but even with that obvious entry point for examination and exploitation, there haven't been "thousands" of vulnerabilities found.

If there's a concern that AI assisted examination of our code gives rise to vulnerabilities in Pale Moon, despite me ensuring for the lifetime of the project that every reported security issue (both from Mozilla security and directly reported to me) was examined and any applicable security issue was patched, then by all means, send me those reports. Do make sure it's not hallucinated garbage though.