All these security/vulnerability scanning harnesses look more or less the same. Not sure what’s the point of bragging or publishing about them anymore, there’s no moat
Eh, Capital One has long been surprisingly progressive on open source and whatnot. They were one of the first to properly adopt OAuth to connect accounts, too, back when Plaid/Mint/etc. were mostly proxying logins.
Vulnhunter isn't that exciting but if you scroll down their feed you'll see "guide to common rust errors" which... also isn't very exciting. I think they just need to publish something every week.
fwiw I have seen good whitepapers from them. A while back I used one about their IVR to get exec buy in for re-doing my company's IVR into something a lot better.
Sorry to say, tokens aren’t going anywhere, people aren’t going to suddenly stop using AI, and this whole paradigm shift of how people are changing how they work - is a full blown reality.
There is no reversal, no “eh we don’t think the tokens/AI are worth it”. Accept the new reality.
Don’t underestimate how banks operate. Things move very slowly in banking, so they absolutely need to justify it. Many banks still use GPT Mini, and even that requires approval from two levels of management. Even upgrading from Java 8 to Java 17 requires extensive justification.
Forget AI—you even have to justify using a MacBook.
It doesn’t take a genius or system architect to figure out AI use in banking both internally and for consumers is a huge benefit especially for capital one.
Maybe we should critique the actual agentic products they are creating rather than critique the entire AI spend.
> If you intend to use VulnHunter on Anthropic's first-party platforms (Claude API / Claude Code), we strongly recommend enrolling first via the verification portal.
Has anyone actually had success with this? I applied for my company several weeks ago, and never heard back.
Wasn't Capital One founded on the premise of massive-scale market and product experimentation? Makes sense that they would design tools that match that approach.
IMHO these type of projects are not tools per-se but methodologies. I think this is a better framing since that's exactly what they are - a bunch of markdown files that describe in general terms how to perform an assessment aligned to some principles.
Btw, these type of methodologies are used all the time. Practically every security consultancy has them so adding them to an LLM makes a lot of sense.
Curious if the team at CapitalOne can share in more detail how this tool is being used internally, including how it’s helped their security practices and culture. That would help address some of the legitimacy concerns.
I'm on the fence here, for one as from recent Linux mailing discussions those tools can really find good bugs (51% of them?), but on other side - I'm afraid of false sense of security.
you can, but it's better to use a different model or higher effort level at the very least to do the verifying part. (haven't checked to see what it is they are doing exactly), but doing vulnerability validation with the same model and effort you used to find the vulnerabilities isn't going to be a true second set of eyes and the model will likely always just try and justify it was right in the first place. ime, it's better to start with a fresh, clean context and at the very least a higher effort level on the same model. pass the finding(s) to a model that hasn't seen it before and it will judge it with an unbiased perspective.
[OP] medina | a day ago
ph3t | a day ago
worldsavior | a day ago
ceejayoz | a day ago
https://www.capitalone.com/tech/open-source/
https://developer.capitalone.com/documentation/o-auth
jabroni_salad | a day ago
fwiw I have seen good whitepapers from them. A while back I used one about their IVR to get exec buy in for re-doing my company's IVR into something a lot better.
fsuts | a day ago
ActionHank | a day ago
They don't know that Dario told me Fable is going to hack the planet.
skybrian | a day ago
sbarrofan1 | a day ago
_joel | a day ago
_joel | a day ago
bobthebob | a day ago
Sorry to say, tokens aren’t going anywhere, people aren’t going to suddenly stop using AI, and this whole paradigm shift of how people are changing how they work - is a full blown reality.
There is no reversal, no “eh we don’t think the tokens/AI are worth it”. Accept the new reality.
cute_boi | a day ago
Forget AI—you even have to justify using a MacBook.
bobthebob | a day ago
folkrav | a day ago
bobthebob | a day ago
It doesn’t take a genius or system architect to figure out AI use in banking both internally and for consumers is a huge benefit especially for capital one.
Maybe we should critique the actual agentic products they are creating rather than critique the entire AI spend.
deaton | a day ago
jp0001 | a day ago
skinfaxi | a day ago
xur17 | a day ago
Has anyone actually had success with this? I applied for my company several weeks ago, and never heard back.
AshamedBadger56 | a day ago
mkagenius | a day ago
this is just a side project though for me
alberth | 17 hours ago
How does your skills comparison to the offering from Capital One, as well,as what Visa published?
https://github.com/visa/visa-vulnerability-agentic-harness
mkagenius | 17 hours ago
More like a red team.
sawjet | 15 hours ago
liampulles | a day ago
_pdp_ | a day ago
Btw, these type of methodologies are used all the time. Practically every security consultancy has them so adding them to an LLM makes a lot of sense.
bpmct | a day ago
lfx | a day ago
https://github.com/visa/visa-vulnerability-agentic-harness
https://github.com/cloudflare/security-audit-skill
I'm on the fence here, for one as from recent Linux mailing discussions those tools can really find good bugs (51% of them?), but on other side - I'm afraid of false sense of security.
alberth | 17 hours ago
Are they glorified markdown skill files, or something more?
latchkey | a day ago
https://github.com/capitalone/VulnHunter/blob/main/vulnhunt/...
spikk | a day ago
snorbleck | a day ago
throw567643u8 | 14 hours ago