Black Duck products

https://www.blackduck.com/fuzz-testing.html

OpenText products

https://www.opentext.com/products/dynamic-application-securi...

I won’t say how much they are here but they are very expensive.

Just to be clear: your claim is that the Black Duck fuzzer would have enabled the rapid discovery of kernel vulnerabilities in macOS?

Question was about high licensing fees and which tools I was referring to

I’m not claiming Defensics or OpenText DAST tools are magical “find all kernel vulns” buttons

My point is more that mature fuzzing ecosystems already existed before the recent AI-driven approaches. Protocol fuzzers, syscall fuzzers, coverage-guided fuzzers, sanitizers, dynamic analysis, etc. have all historically found serious kernel bugs

We might just be talking past each other. My question, from upthread, is this: the heyday of AFL was over a decade ago. Every major platform company fuzzes at a scale that I think is difficult for lay practitioners to get their heads around. They contract, quarterly, soup-to-nuts assessments from competing software security companies, who get full source access and are measured against each other by the quality of their findings. They run bounty programs specifically to direct public researcher attention to these exact findings.

Why didn't "mature fuzzing ecosystems" find the vulnerabilities AI is now finding? It's a pretty big gap in the "fuzzing tools already do this" logic!

> Why didn't "mature fuzzing ecosystems" find the vulnerabilities AI is now finding? It's a pretty big gap in the "fuzzing tools already do this" logic!

Because they simply aren’t ran. That’s my entire argument

You're wrong about that.

How? If the tools were ran the same findings may have occurred.

No, the point is they are very different tools that produce very different outcomes. Your syllogism doesn't work.

Claude et al have “skills” that are basically containers of tools. It’s not a huge leap to say that similar tools are in use within these containers or even same. We don’t know.

Yes, we do.

Getting alot of short line replies. Got any link to any documentation / traceability to that claim?

I work in this field, have done work for some of the vendors we're discussing, and talk daily to security engineers working on these problems at these vendors. You are wrong.

Well we aren’t going to get anywhere. I asked for evidence and didn’t receive any.

Just so we're clear you're asking for evidence that Apple and Google... run fuzzers.

All software assurance tools. Prove they run them (binary analysis, fuzzers, static analysis, etc) and how that differs from what Mythos is doing (which likely is using those tools as skills) along with objective evidence for each

Yeah I'm pretty content to rest my case here. If it's helpful to you to know this, you're wildly wrong here, like "the search bar on this website will show you to be wrong" wrong, but I'll leave it at that.

Thanks for not answering.