I'm on the fence here, for one as from recent Linux mailing discussions those tools can really find good bugs (51% of them?), but on other side - I'm afraid of false sense of security.
ph3t 5 hours ago [-]
All these security/vulnerability scanning harnesses look more or less the same. Not sure what’s the point of bragging or publishing about them anymore, there’s no moat
skybrian 2 hours ago [-]
I imagine they built it mostly for themselves, but open sourcing it is a nice gesture.
55 minutes ago [-]
fsuts 4 hours ago [-]
An end product to justify the Billions spent on AI
ActionHank 3 hours ago [-]
Also so that the engineers have something for the resume that looks and sounds impressive.
They don't know that Dario told me Fable is going to hack the planet.
worldsavior 4 hours ago [-]
They're desperate for the hype.
jabroni_salad 49 minutes ago [-]
Vulnhunter isn't that exciting but if you scroll down their feed you'll see "guide to common rust errors" which... also isn't very exciting. I think they just need to publish something every week.
fwiw I have seen good whitepapers from them. A while back I used one about their IVR to get exec buy in for re-doing my company's IVR into something a lot better.
ceejayoz 4 hours ago [-]
Eh, Capital One has long been surprisingly progressive on open source and whatnot. They were one of the first to properly adopt OAuth to connect accounts, too, back when Plaid/Mint/etc. were mostly proxying logins.
IMHO these type of projects are not tools per-se but methodologies. I think this is a better framing since that's exactly what they are - a bunch of markdown files that describe in general terms how to perform an assessment aligned to some principles.
Btw, these type of methodologies are used all the time. Practically every security consultancy has them so adding them to an LLM makes a lot of sense.
Curious if the team at CapitalOne can share in more detail how this tool is being used internally, including how it’s helped their security practices and culture. That would help address some of the legitimacy concerns.
_joel 5 hours ago [-]
Why does this feel like an exec trying to justify token spend?
bobthebob 3 hours ago [-]
They dont need to justify it.
Sorry to say, tokens aren’t going anywhere, people aren’t going to suddenly stop using AI, and this whole paradigm shift of how people are changing how they work - is a full blown reality.
There is no reversal, no “eh we don’t think the tokens/AI are worth it”. Accept the new reality.
folkrav 37 minutes ago [-]
We also have to stop treating any criticism of some practices surrounding AI adoption like a rejection of the technology.
bobthebob 4 minutes ago [-]
True, but this post in about Capital One.
It doesn’t take a genius or system architect to figure out AI use in banking both internally and for consumers is a huge benefit especially for capital one.
Maybe we should critique the actual agentic products they are creating rather than critique the entire AI spend.
cute_boi 43 minutes ago [-]
Don’t underestimate how banks operate. Things move very slowly in banking, so they absolutely need to justify it. Many banks still use GPT Mini, and even that requires approval from two levels of management. Even upgrading from Java 8 to Java 17 requires extensive justification.
Forget AI—you even have to justify using a MacBook.
bobthebob 9 minutes ago [-]
You’re correct, but in the span of time - they are just doing the same thing everyone else is doing in many industries, just way slower
xur17 5 hours ago [-]
> If you intend to use VulnHunter on Anthropic's first-party platforms (Claude API / Claude Code), we strongly recommend enrolling first via the verification portal.
Has anyone actually had success with this? I applied for my company several weeks ago, and never heard back.
AshamedBadger56 4 hours ago [-]
Seems to be very random. I've heard stories like yours, as well as companies who applied and are approved same day.
liampulles 4 hours ago [-]
Wasn't Capital One founded on the premise of massive-scale market and product experimentation? Makes sense that they would design tools that match that approach.
jp0001 5 hours ago [-]
This is a sad. Makes me want to move my bank accounts.
skinfaxi 2 hours ago [-]
Why?
sbarrofan1 5 hours ago [-]
Put a wrapper around nessus, stave off a "below strong" rating another six months
_joel 5 hours ago [-]
I know a few companies that did this about 20 years back (cough Comodo). Charge customers for a free Nessus report that's been rebranded. Profit.
medina 6 hours ago [-]
VulnHunter: Capital One’s open-source, agentic AI code security tool.
https://github.com/visa/visa-vulnerability-agentic-harness
https://github.com/cloudflare/security-audit-skill
I'm on the fence here, for one as from recent Linux mailing discussions those tools can really find good bugs (51% of them?), but on other side - I'm afraid of false sense of security.
They don't know that Dario told me Fable is going to hack the planet.
fwiw I have seen good whitepapers from them. A while back I used one about their IVR to get exec buy in for re-doing my company's IVR into something a lot better.
https://www.capitalone.com/tech/open-source/
https://developer.capitalone.com/documentation/o-auth
Btw, these type of methodologies are used all the time. Practically every security consultancy has them so adding them to an LLM makes a lot of sense.
this is just a side project though for me
Sorry to say, tokens aren’t going anywhere, people aren’t going to suddenly stop using AI, and this whole paradigm shift of how people are changing how they work - is a full blown reality.
There is no reversal, no “eh we don’t think the tokens/AI are worth it”. Accept the new reality.
It doesn’t take a genius or system architect to figure out AI use in banking both internally and for consumers is a huge benefit especially for capital one.
Maybe we should critique the actual agentic products they are creating rather than critique the entire AI spend.
Forget AI—you even have to justify using a MacBook.
Has anyone actually had success with this? I applied for my company several weeks ago, and never heard back.
https://github.com/capitalone/VulnHunter/blob/main/vulnhunt/...