Dailydave mailing list archives

Re: Defense ?

From: Dean Pierce via Dailydave <dailydave () lists aitelfoundation org>
Date: Sun, 16 Nov 2025 06:37:53 -0800

I like the idea of having a software supply chain that people can pay into
that basically funds a universal bug bounty system for anything that
matters.

You can put systems in place that utilize zero knowledge exploitability
proofs to automate bounty triage, so it doesn't even need to be run by a
central trusted entity. As the bounty markets stabilize, what you're left
with is a software ecosystem where anyone can build what they need and
directly query the estimated cost of attack from point A to point B on any
set of capabilities, and any security claim "Your emails are safe with
Microsoft" etc can actually be economically quantified. Hosting providers
can use their subscription income to pay into the bounty funds of the parts
of the supply chain they rely on, thus making their services more
attractive to users (and bug hunters).

On the other side of this, you now have a world of vuln researchers and
their pet LLMs grinding and searching away for unexplored attack paths they
can cash in on. Of course these bounty systems can also work for
optimization bounties for people making code faster, or feature bounties.
Some kid somewhere has an idea for a feature in some piece of software that
they're using, so they post about it, and a few thousand people chip in,
and when the bounty becomes appetizing enough, someone's AI pet grabs it,
and they get paid, and within minutes the update is deployed into the
ecosystem.

Then, on everyone's device, depending on their risk tolerance and their use
case, the AI can decide if this new update is supported enough by the
ecosystem yet to apply. Maybe we don't apply it now, but maybe in 30 mins
if no one has found anything weird in it. This is the dream, right? Fully
automated self improving, self healing software ecosystem where researchers
can get paid without even needing to talk to anyone :-D

  - DEAN

On Sat, Nov 15, 2025 at 6:32 PM Dave Aitel via Dailydave <
dailydave () lists aitelfoundation org> wrote:

How would one actually move the actual bar in defense? A big part of me
thinks that you're just not going to patch your way out of the problem. But
the number of organizations that you can rely on to actually make a
difference seems pretty small? Like even converting every Linux binary to
rust would only make sense if you could find a team that could actually
maintain and support that code base, which I don't know that you could.

Like in a sense, what you have to do is completely rebuild how you're
building software and have the large language model be the intermediary for
everything?

Dave
_______________________________________________
Dailydave mailing list -- dailydave () lists aitelfoundation org
To unsubscribe send an email to dailydave-leave () lists aitelfoundation org

_______________________________________________
Dailydave mailing list -- dailydave () lists aitelfoundation org
To unsubscribe send an email to dailydave-leave () lists aitelfoundation org

Current thread:

Defense ? Dave Aitel via Dailydave (Nov 15)
- Re: Defense ? Conan Dooley via Dailydave (Nov 16)
- Re: Defense ? Alfonso De Gregorio via Dailydave (Nov 16)
- Re: Defense ? Chris Anley via Dailydave (Nov 16)
- Re: Defense ? Dean Pierce via Dailydave (Nov 16)
- <Possible follow-ups>
- Re: Defense ? etojake--- via Dailydave (Nov 16)