Jun Choi

We’re launching https://t.co/LpjYFViYf4 and greprules Plugin! (with 1487 free Apache 2.0 SAST rules) https://t.co/LpjYFViYf4 is a free community hub where developers, security engineers, and AI coding-tool users can discover, inspect, download, and share OpenGrep/Semgrep-compatible SAST rules. greprules Plugin helps users apply those rules in local development and AI-assisted coding workflows, including workflows with tools such as Claude Code, Codex, Hermes, and other coding agents. Provally-published rule packs and greprules Plugin are free to use under Apache-2.0. Rules are available on https://t.co/RUP3e6QuHe, and the plugin is available at https://t.co/mY2InN80iL. We built greprules because software development is changing. With AI-assisted development and vibe coding, more people are building software faster than ever. Experienced engineers are using AI tools to move faster, and non-traditional developers are creating prototypes, internal tools, automation scripts, and real applications. Security checks need to become easier to access and use in that new workflow. This launch builds on our earlier technical work, “CVE to SAST Rule Generation: How We Build OpenGrep Rules from Real Patches.” In that work, we explored how Provally turns public CVE evidence, real patches, vulnerable code, and fixed code into OpenGrep rule candidates. https://t.co/LpjYFViYf4 is where rules become accessible, and greprules Plugin is how users bring them into local and AI-assisted coding workflows. AutoProof then helps verify which SAST findings are real and provides evidence for remediation. Explore https://t.co/LpjYFViYf4: https://t.co/RUP3e6QuHe Try greprules Plugin: https://t.co/mY2InN80iL Read the launch post: https://t.co/KoCuMdyXN4 #greprules #SAST #OpenGrep #Semgrep #Free #ClaudeCode #codex #hermes #vibecoding #appsec #applicationsecurity #productsecurity #devsecops #provally #autoproof

SAST has a reputation problem. Many security engineers and developers have spent too much time chasing alerts that later turned out to be false positives. That pain is real. But I do not think it means SAST is meaningless. At Provally, we built AutoProof to help solve this exact problem. AutoProof uses AI agents to analyze SAST findings, generate and test proof of concept cases in a controlled environment, remove false positives, and provide clear evidence for true positives. While testing AutoProof on open source projects, we found more than security issues. Today, we reported two bugs and one vulnerability to project maintainers. This reminded us of something important. SAST is described as a vulnerability scanner, but it is also a way to detect patterns of poor code. Many SAST rules are created from real mistakes that developers have made before. Now, as AI agents write more code, the same idea becomes even more relevant. In security, we often say we are finding vulnerabilities. But from a broader engineering perspective, we are also helping improve code quality. That is how we think about our work at Provally. AutoProof is a security product, but the goal is not only to find risks. The goal is to help engineers focus on what matters, reduce wasted time, and make software more reliable. Even when we find something that is just a bug, we still want to report it and contribute back to the open source community.SAST has a reputation problem. Many security engineers and developers have spent too much time chasing alerts that later turned out to be false positives. That pain is real. But I do not think it means SAST is meaningless. At Provally, we built AutoProof to help solve this exact problem. AutoProof uses AI agents to analyze SAST findings, generate and test proof of concept cases in a controlled environment, remove false positives, and provide clear evidence for true positives. While testing AutoProof on open source projects, we found more than security issues. Today, we reported two bugs and one vulnerability to project maintainers. This reminded us of something important. SAST is described as a vulnerability scanner, but it is also a way to detect patterns of poor code. Many SAST rules are created from real mistakes that developers have made before. Now, as AI agents write more code, the same idea becomes even more relevant. In security, we often say we are finding vulnerabilities. But from a broader engineering perspective, we are also helping improve code quality. That is how we think about our work at Provally. AutoProof is a security product, but the goal is not only to find risks. The goal is to help engineers focus on what matters, reduce wasted time, and make software more reliable. Even when we find something that is just a bug, we still want to report it and contribute back to the open source community.SAST has a reputation problem. Many security engineers and developers have spent too much time chasing alerts that later turned out to be false positives. That pain is real. But I do not think it means SAST is meaningless. At Provally, we built AutoProof to help solve this exact problem. AutoProof uses AI agents to analyze SAST findings, generate and test proof of concept cases in a controlled environment, remove false positives, and provide clear evidence for true positives. While testing AutoProof on open source projects, we found more than security issues. Today, we reported two bugs and one vulnerability to project maintainers. This reminded us of something important. SAST is described as a vulnerability scanner, but it is also a way to detect patterns of poor code. Many SAST rules are created from real mistakes that developers have made before. Now, as AI agents write more code, the same idea becomes even more relevant. In security, we often say we are finding vulnerabilities. But from a broader engineering perspective, we are also helping improve code quality. That is how we think about our work at Provally. AutoProof is a security product, but the goal is not only to find risks. The goal is to help engineers focus on what matters, reduce wasted time, and make software more reliable. Even when we find something that is just a bug, we still want to report it and contribute back to the open source community.SAST has a reputation problem. Many security engineers and developers have spent too much time chasing alerts that later turned out to be false positives. That pain is real. But I do not think it means SAST is meaningless. At Provally, we built AutoProof to help solve this exact problem. AutoProof uses AI agents to analyze SAST findings, generate and test proof of concept cases in a controlled environment, remove false positives, and provide clear evidence for true positives. While testing AutoProof on open source projects, we found more than security issues. Today, we reported two bugs and one vulnerability to project maintainers. This reminded us of something important. SAST is described as a vulnerability scanner, but it is also a way to detect patterns of poor code. Many SAST rules are created from real mistakes that developers have made before. Now, as AI agents write more code, the same idea becomes even more relevant. In security, we often say we are finding vulnerabilities. But from a broader engineering perspective, we are also helping improve code quality. That is how we think about our work at Provally. AutoProof is a security product, but the goal is not only to find risks. The goal is to help engineers focus on what matters, reduce wasted time, and make software more reliable. Even when we find something that is just a bug, we still want to report it and contribute back to the open source community.

We’re starting a small free project for open-source maintainers who are overwhelmed by security reports or bug bounty submissions. I’ve also been seeing more discussion recently about bug bounty platforms and maintainers struggling with fake, low-quality, or hard-to-verify vulnerability reports. At Provally, we’re building AutoProof, an AI agent that helps validate false positives from SAST and code security scanner results. The core idea is simple. Instead of leaving everything to manual triage, AutoProof looks at the actual code context, checks whether an issue is reproducible or exploitable, and returns a short evidence-based verdict. That made us wonder if the same validation workflow could help open-source maintainers and bug bounty operators handle incoming vulnerability reports too. If you maintain an open-source project and have security reports sitting in the queue because they are hard to verify, we’d like to help. Send us a few vulnerability reports or security-related bug reports, and we’ll help check whether they are actually reproducible, exploitable, or likely noise. Then we’ll give you a short evidence-based write-up you can use to make a decision. No payment. No long setup. Just a small collaboration to help maintainers reduce triage burden and help us learn from real-world workflows. We’re especially interested in reports where - the issue is hard to reproduce - the impact is unclear - maintainers are not sure if it is real or noise - the report includes a PoC but nobody has had time to verify it Please do not post sensitive vulnerability details in the comments. Also, we can only help with projects you maintain or reports you are authorized to share. If you’re interested, DM me or email us at [email protected] And if you know an open-source maintainer who is drowning in security reports, please tag them or share this with them. We’d love to help. --- 작은 커뮤니티 프로젝트를 시작해보려고 합니다! 보안 제보나 버그바운티성 리포트가 너무 많이 들어와서 처리에 어려움을 겪고 있는 오픈소스 maintainer분들을 찾고 있습니다. 최근에 여러 버그바운티 플랫폼이나 오픈소스 운영자들이 가짜 제보, 품질 낮은 제보, 혹은 검증하기 어려운 취약점 리포트 때문에 고생하고 있다는 이야기가 많이 보입니다. 저희는 Provally에서는 AutoProof라는 AI Agent를 만들고 있습니다. AutoProof는 원래 SAST나 코드 보안 스캐너 결과에서 발생하는 오탐을 검증해주는 AI Agent입니다. 모든 판단을 수동 검증하는 대신, 실제 코드 맥락을 보고 이슈가 재현 가능한지, 실제로 공격 가능한지 직접 실행해서 확인한 뒤, 실행 근거의 기반 보고서를 제공합니다. 그러다 보니 이 방식이 오픈소스 maintainer나 버그바운티 운영자들이 받는 취약점 제보를 검증하는 데도 도움이 될 수 있지 않을까라는 생각을 하게 되었습니다. 오픈소스 프로젝트를 운영하고 계시고, 들어온 보안 제보 중에 이게 진짜인지, 재현이 되는지, 실제로 위험한지 확인하기 어려운 이슈들이 있다면 저희가 무료로 검증을 도와드리고 싶습니다. 몇 개의 취약점 리포트나 보안 관련 버그 리포트를 공유해주시면, 저희가 실제로 재현 가능한지, exploit 가능한지, 오탐에 가까운지 확인하고 짧은 근거 기반 리포트로 정리해드리려고 합니다. 무료이고 복잡한 세팅도 최대한 없게 진행하려고 합니다. 저희도 실제 오픈소스 maintainer들의 workflow를 배우고 싶고, maintainer분들께는 취약점 검증 부담을 조금이라도 줄여드리고 싶습니다. 관심 있으신 분들은 DM 주시거나 [email protected]로 연락 부탁드립니다! 주변에 보안 제보 때문에 고생하는 오픈소스 maintainer분이 있다면 태그하거나 공유해주시면 정말 감사하겠습니다. 저희가 도와드리겠습니다!

Maintainers and AppSec teams are currently being buried under a mountain of AI-generated junk. These reports are often just word salads describing non-existent vulnerabilities. This 'slop' is ruining the experience for everyone. But here is the reality: The solution isn't to stop using AI. It's to stop using AI for guessing and start using it for proving. A bug report without a Proof of Concept (PoC) is no longer acceptable. In an era where anyone can generate a plausible-looking report, the only currency that matters is technical proof. At Provally, we believe the future of SAST isn't just identifying potential sinks—it’s about automatically generating the exploit to prove it's real. If an AI can’t show you how to trigger the bug, it shouldn't be making noise in your inbox. It’s time to move from AI-as-a-copywriter to AI-as-a-validator. #AppSec #Cybersecurity #BugBounty #AI #WhiteHatHacker

The reason audits are expensive isn't because security companies are a cartel. It's because our industry is still stuck in the era of manual craftsmanship. If we genuinely want to bring down the cost to ship correct software, we have to stop relying on manual verification. By turning security verification into a programmable, automated process, we can finally lower the barrier to entry for the next generation of builders.