@bagder Interesting! Thanks for sharing. Sequoia received 74 reports this year on yeswehack and we've confirmed 6 vulnerabilities. Of those, none were serious. Two had to do with wasting resources on specially crafted input. Two were out of bounds array accesses that result in a panic (we're using rust). One was a terminal injection, because we forgot to escape attacker controlled data that we print. And the last one was forgetting to check that the value returned from malloc is not NULL.

@bagder
how many of the not-actually-vulns were good-faith or otherwise helpful?

@bagder Interesting. Even when removing the AI slop count from the tallies, this year has the worst ratio of actual vulns to reports.

Do you have insights as to why that is?

@bagder Sloppy work by the submitters. (In the traditional, but maybe also in the modern sense)