Arthur Gervais

not sure what's best, there are pros and cons "self-reported" is difficult to verify, may not be available at scale but would give a strong industry signal (like cost of mass to orbit 🤣) "reproduced" is scalable but my not be fully representative (harnesses/data/context/models/hardware may be different) besides the costs of a positive, the costs of negatives could also be relevant. Possibly the costs of FP and FN as well. the choice of the right target (if CVEmaxxing) is itself a hard problem

one thing that would be super dope, is $ / CVSS something that quantifies the $ amount per vuln, adjusted for criticality or similar that's v important because the more efficient the more often the agents can scan and fix things. The more frequent scans can become, the more secure the internet should become. in general, token efficiency will also likely become more important/looked at over the next months

Agents are finding more vulnerabilities than ever. But it turns out there are gaps in existing vulnerability discovery. Over the past 90 days vs. a year ago, web vulnerabilities (XSS/SQLi/CSRF) are down 66% and memory safety exploitability is down 3.5x. We built the Agentic Vulnerability Coverage Map to track it all, updated daily. Introducing the Berkeley Vulnerability Initiative: https://t.co/qiZ4eThb0n. ⤵️