🧵 1/ @mdorsi suggested a follow-up thread on our experience switching to webauthn & so here goes. I will first start with the good parts before jumping into lessons that might be useful for other security teams. If you find this fun, come join us at https://t.co/Vqzwrtua5e
1/ Recently, we switched Figma's Okta to only allow phish-proof webauthn/FIDO MFA. I wanted to share a few things that helped us and might come in handy for any other security team.
One of the most important and under appreciated trends in the world right now.
1. 100s of billions of dollars will soon be available to solve big problems (making the world resilient to ASI, ending factory farming, etc).
2. The projects and organizations which will turn billions of 2027/28 dollars into impact need to be started NOW.
3. We need really talented people to start and run and work for these new projects. What @nanransohoff calls general managers, who feel personally resposible for solving one of the world’s important problems.
What is especially scarce are detailed visions about what making AI go well looks like. These will help inform what problems these new projects ought to work on.
Security is an economic decision.
For a fixed cost, within @XBOW, which model has the best odds of crafting an exploit?
GPT-5.5 > Mythos > Opus 4.6 on real OSS web vulns.
Curves below.
@ShriramKMurthi Sorry ... Not sure if you are commenting or asking. For us at Figma, we definitely have a class of new reporters utilizing AI tools to find subtle bugs and then creating poc etc. Their reports are not slop: pretty high signal and if anything AI has made their English much better
1/ Common take right now: AI slop is making bug bounties useless. My thesis (partly based on my recent experiences at Figma) is the opposite — bug bounty matters more in the AI era, not less. Quick thread on why.
6/ Labeled vulns, in your own codebase, from a perspective your team doesn't have — that's gold for AI-assisted security.
Bug bounty is the best source of it I know.
Don't shrink the program. Lean in.
5/ Bug bounty submissions are exactly that data.
Even the "accepted risk for legacy reasons" reports become evals — so your AI reviewer flags when an engineer introduces a new instance of the same pattern.
@libber But, IMO, under appreciated in most places (I know not you; but a lot of written stuff misses this) is how "prevent" is the biggest leverage. Have _fewer_ dependenices; those you do, have very few with attack surface (e.g., move to a sandbox or don't let them listen on internet)
There is nothing about this that is amazing. It was predicted endlessly, and those predictions were dismissed by people citing the fact that big companies opposed these measures. They opposed them because while their relative position is stronger, the pie is now smaller.
@frgx If you didn't worry about 0-days before, you don't have to worry about them now. And for the people who did worry about them before, nothing has changed.
It's not a completely new ballgame, it's the same field but with faster rate of play.
The good news: defenders leverage AI too.
At Figma, we’re already seeing real leverage in prevention, detection, and incident response. If you are wondering what this looks like, come join us! https://t.co/U1PymssV86