Build your own vulnerability harness
5 hours ago
- #Model-Agnostic Architecture
- #AI Security
- #Vulnerability Research
- Project Glasswing explores using frontier AI models for enterprise code security, highlighting the need for a model-agnostic architecture to avoid reliance on any single model.
- A two-stage vulnerability research workflow is implemented: the Vulnerability Discovery Harness (VDH) for discovery and the Vulnerability Validation System (VVS) for triage, using different models to cross-check findings.
- Key stages in VDH include Recon, Hunt, Validate, Gapfill, Dedup, Trace, and Feedback, with strict context controls and persistence to prevent hallucinations and data loss.
- The system emphasizes adversarial verification, requiring proof-of-concept tests and patches for each finding, and uses deterministic code to validate paths and prevent false positives.
- Fleet-wide scanning enables cross-repo dependency tracing, uncovering systemic flaws, with deduplication agents to manage overlapping findings and a wishlist mechanism for agent resource requests.
- Metrics focus on filtering raw candidates into actionable findings, with ~12,057 high-integrity findings from 20,799 raw candidates, and automated patching saving engineering hours.
- The architecture decouples security logic from model providers, ensuring robustness through independent triage and human-in-the-loop safeguards for code changes.