3/29/2025 at 11:03:41 PM
Hey guys we commented on another thread from a few days ago about our tool Bismuth finding the bug (along with a sha of our reproducer script for proof) https://news.ycombinator.com/item?id=43489944After disclosing and having correspondence with Gerlof and from his above post it looks like we did in fact nail it and I've just shared our write up on how we got it.
HN post detailing how we got it: https://news.ycombinator.com/item?id=43519522
Edit: Here's our reproducer and we've added it to the post too: https://gist.github.com/kallsyms/3acdf857ccc5c9fbaae7ed823be...
by ianbutler
3/30/2025 at 7:41:25 AM
> HN post detailing how we got it: https://news.ycombinator.com/item?id=43519522I don't see any details there. Is there some link missing here, or is it the wrong link?
I'd be interested to read how your tool found it.
by hannob
3/30/2025 at 10:29:18 AM
It's just "we asked our LLM and it found the bug", as I understand it.by stavros
3/29/2025 at 11:08:43 PM
What is that a hash of?by saagarjha
3/29/2025 at 11:08:54 PM
As noted, our reproducer scriptby ianbutler
3/29/2025 at 11:10:39 PM
Right, but where’s the script?by saagarjha
3/29/2025 at 11:17:49 PM
https://gist.github.com/kallsyms/3acdf857ccc5c9fbaae7ed823be...From my co-founders account
by ianbutler
3/29/2025 at 11:39:56 PM
Cool, thanks for adding it. It would also be nice if you posted how you generated the hash :) I’m not trying to be annoying but this is a critical part of how these hashes work; you post the hash early to indicate you have some information early and then later you demonstrate that by actually presenting the artifact with that hash. If you don’t publish the artifact so people can check that it is actually what you claim it is then your hash is worthless (as nobody can prove it’s not, like, the hash of a cat photo). And you’d generally want to demonstrate how you generated the hash just so people don’t have to figure out whether to md5 or sha1sum it.by saagarjha
3/29/2025 at 11:53:24 PM
Hey yeah got caught up in the excitement of finding it :)It's a SHA256 - `shasum -a 256 server.py`
by kallsyms