Apparently OpenAI allowed the deal to expire; likely Google had already been in discussion with Windsurf as I'm sure they knew the deal was likely to die well before today.
Walt Disney doesn't pay bug bounties. AT&T's bounties go up to $5k, which is decent but still not much. It's possible that the market for bugs is efficient.
Walt Disney's program covers substantially more surface area, there's 6? publicly traded companies listed there. In addition to covering far fewer domains & apps, AT&T's conditions and exclusions disqualify a lot more.
The market for bounties is a circus, breadcrumbs for free work from people trying to 'make it'. It can safely be analogized to the classic trope of those wanting to work in games getting paid fractional market rates for absurd amounts of QA effort. The number of CVSS vulns with a score above 8 that have floated across the front page of HN in the past year without anyone getting paid tells you that much.
> The market for bounties is a circus, breadcrumbs for free work from people trying to 'make it'.
> The number of CVSS vulns with a score above 8 that have floated across the front page of HN in the past year without anyone getting paid tells you that much.
You make it sound like there's a ton of people going around who can just dig up CVSS vulns above 8 and is making me all confused. Is that really happening? I have a single bounty on H1 just to show I could do it, and that still took ages and was a shitty bug.
Yes, I'm sure anyone with more HackerOne experience can give specifics on the companies' policies. For now, those are the most objective measures of quality we have on the reports.
This is discussed in the post – many came down to individual programs' policies e.g. not accepting the vulnerability if it was in a 3rd party product they used (but still hosted by them), duplicates (another researcher reported the same vuln at the same time; not really any way to avoid this), or not accepting some classes of vuln like cache poisoning.
If you can eventually guarantee you’ll get a robotaxi instead of a car with a driver when you call one (unlike Waymo in Austin, now, thanks to their dumb partnership with Uber), they’ll likely do ok in the longer term.
I'm rooting for Tesla being able to provide some driverless taxi competition to Waymo. Hopefully both can increase supply enough to allow for a guaranteed robotaxi booking, although anecdotally I haven't found it that hard to get a Waymo through the Uber app depending on the time.
I’ve only tried twice (after using it ~30 times during the preview directly through the Waymo app) - neither time resulted in a robotaxi though, and one resulted in a driver that smelled so bad I’ve sworn off ride sharing until the end of summer.
Hopefully the Tesla app forces Waymo to reconsider their deal with Uber altogether and just run it themselves like they do in San Francisco.
The paper mentions in multiple places, including the abstract, that the cause of higher microplastics readings was likely from the bottle caps, given that the found microplastics matched the color and composition of the paint on the bottle caps.
The test provides both the original and the modified excerpt in the user message, so the LLM doesn't need any memorized version of the excerpt to theoretically answer each correctly.
From the paper:
System Prompt
You are helping a student practice memorizing poems. The student will recite a poem, but they may have missed some lines. Your task is to identify exactly which lines are missing from their recitation.
List only the missing lines, nothing else.
User Message
Here is the complete original poem:
{original poem}
Now, here is my recitation which may be missing some lines:
{modified poem}
What lines did I miss? Please list only the missing lines, nothing else.
The Command-and-Control part of the botnet would be whatever component they build to instruct it to attack; often using some dummy website they register and have the compromised clients poll for changes with instructions.
I think an increasing amount of them are state actors or groups offering the botnet as a service.
This is changing; OpenAI's newer API (Responses) is required to include reasoning tokens in the context while using the API, to get the reasoning summaries, and to use some of the OpenAI provided tools. Google's OpenAI compatibility supports Chat Completions, not Responses.
As the LLM developers continue to add unique features to their APIs, the shared API which is now OpenAI will only support the minimal common subset and many will probably deprecate the compatibility API. Devs will have to rely on SDKs to offer comptibility.
The IRS Guidance says this in 5.05(2), which is most relevant to software startups:
(2) Computer software developed for sale or licensing to others. In the case of
computer software that is developed for sale or licensing to others (or upgrades
and enhancements to such software), activities that occur after such software (or
upgrades and enhancements to such software) is ready for sale or licensing to
others, such as marketing and promotional activities, maintenance activities that
do not give rise to upgrades and enhancements, distribution activities (for
example, making the software available via remote access), and customer support
activities.
So they are maintenance as long as they "do not give rise to upgrades and enhancements", which would be the responsibility of the taxpayer to track. I'm sure there is more nuance to it in practice.
They have, but they’ve fired everyone. Literally. I have a relative who was fired while testifying in court, he ended up stranded in some flyover shithole.
Like a weed, in the sense of living in spite of ones circumstances. For example, a person with limited resources living for a long time, which is like a weed with little sunlight still growing from a crack in concrete.
