[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"article-project-glasswing-ai-software-bugs-zh":3,"tags-project-glasswing-ai-software-bugs-zh":35,"related-lang-project-glasswing-ai-software-bugs-zh":51,"related-posts-project-glasswing-ai-software-bugs-zh":55,"series-industry-8ff05ee3-542c-4a90-af18-875d1b009a5b":92},{"id":4,"title":5,"content":6,"summary":7,"source":8,"source_url":9,"author":10,"image_url":11,"keywords":12,"language":23,"translated_content":10,"views":24,"is_premium":25,"created_at":26,"updated_at":26,"cover_image":11,"published_at":27,"rewrite_status":28,"rewrite_error":10,"rewritten_from_id":29,"slug":30,"category":31,"related_article_id":32,"status":33,"google_indexed_at":34,"x_posted_at":10,"tweet_text":10,"title_rewritten_at":10,"title_original":10,"key_takeaways":10,"topic_cluster_id":10,"embedding":10,"is_canonical_seed":25},"8ff05ee3-542c-4a90-af18-875d1b009a5b","Project Glasswing 讓 AI 專抓軟體漏洞","\u003Cp>\u003Ca href=\"https:\u002F\u002Fwww.anthropic.com\u002Fglasswing\" target=\"_blank\" rel=\"noopener\">Anthropic\u003C\u002Fa> 這次丟出的 Project Glasswing，數字很硬。12 家主要合作夥伴，40 多個額外組織，還有最高 1 億美元的使用額度。更猛的是，\u003Ca href=\"https:\u002F\u002Fwww.anthropic.com\u002Fnews\u002Fclaude-mythos-preview\" target=\"_blank\" rel=\"noopener\">Claude Mythos Preview\u003C\u002Fa> 還被拿來找軟體漏洞，據稱已經挖出數千個高風險問題。\u003C\u002Fp>\u003Cp>講白了，這不是單純的 AI demo。它是在把 LLM 直接丟進資安現場。從 \u003Ca href=\"https:\u002F\u002Fwww.anthropic.com\" target=\"_blank\" rel=\"noopener\">Anthropic\u003C\u002Fa> 的說法來看，AI 已經能幫忙找出老到離譜的 bug。像 OpenBSD 的 27 年漏洞、FFmpeg 的 16 年漏洞，還有 Linux kernel 的多步驟提權鏈，都被模型抓出來。這種事很難不讓人皺眉。\u003C\u002Fp>\u003Ch2>Project Glasswing 到底在做什麼\u003C\u002Fh2>\u003Cp>Glasswing 的定位很明確。它不是要做一個更會寫 code 的聊天機器人。它要做的是，把前沿模型的資安能力，直接塞進防禦流程裡。這種做法很像把 AI 從辦公室拉去值夜班，專門盯那些人類容易漏掉的角落。\u003C\u002Fp>\n\u003Cfigure class=\"my-6\">\u003Cimg src=\"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1775693399168-0dhd.png\" alt=\"Project Glasswing 讓 AI 專抓軟體漏洞\" class=\"rounded-xl w-full\" loading=\"lazy\" \u002F>\u003C\u002Ffigure>\n\u003Cp>第一批合作夥伴名單也很有意思。裡面有 \u003Ca href=\"https:\u002F\u002Faws.amazon.com\" target=\"_blank\" rel=\"noopener\">Amazon Web Services\u003C\u002Fa>、\u003Ca href=\"https:\u002F\u002Fwww.apple.com\" target=\"_blank\" rel=\"noopener\">Apple\u003C\u002Fa>、\u003Ca href=\"https:\u002F\u002Fwww.broadcom.com\" target=\"_blank\" rel=\"noopener\">Broadcom\u003C\u002Fa>、\u003Ca href=\"https:\u002F\u002Fwww.cisco.com\" target=\"_blank\" rel=\"noopener\">Cisco\u003C\u002Fa>、\u003Ca href=\"https:\u002F\u002Fwww.crowdstrike.com\" target=\"_blank\" rel=\"noopener\">CrowdStrike\u003C\u002Fa>、\u003Ca href=\"https:\u002F\u002Fcloud.google.com\" target=\"_blank\" rel=\"noopener\">Google Cloud\u003C\u002Fa>、\u003Ca href=\"https:\u002F\u002Fwww.jpmorganchase.com\" target=\"_blank\" rel=\"noopener\">JPMorganChase\u003C\u002Fa>、\u003Ca href=\"https:\u002F\u002Fwww.linuxfoundation.org\" target=\"_blank\" rel=\"noopener\">Linux Foundation\u003C\u002Fa>、\u003Ca href=\"https:\u002F\u002Fwww.microsoft.com\" target=\"_blank\" rel=\"noopener\">Microsoft\u003C\u002Fa>、\u003Ca href=\"https:\u002F\u002Fwww.nvidia.com\" target=\"_blank\" rel=\"noopener\">NVIDIA\u003C\u002Fa>，還有 \u003Ca href=\"https:\u002F\u002Fwww.paloaltonetworks.com\" target=\"_blank\" rel=\"noopener\">Palo Alto Networks\u003C\u002Fa>。這些名字不是來站台而已。它們掌握雲端、晶片、端點、網路和作業系統的核心場景。\u003C\u002Fp>\u003Cp>\u003Ca href=\"\u002Fnews\u002Fanthropic-claude-mythos-preview-meaning-zh\">Anth\u003C\u002Fa>ropic 還開放給 40 多個其他組織使用。重點是，這些組織多半在維護關鍵基礎設施軟體。也就是說，AI 不是只掃自家產品，還會掃第一方程式碼和開源專案。Anthropic 另外還砸了最高 1 億美元的使用額度，外加 400 萬美元直接捐給開源資安團體。這筆錢不小，至少表示它不是隨便玩玩。\u003C\u002Fp>\u003Cul>\u003Cli>12 家合作夥伴先上車\u003C\u002Fli>\u003Cli>40+ 組織拿到使用權\u003C\u002Fli>\u003Cli>最高 1 億美元額度\u003C\u002Fli>\u003Cli>400 萬美元給開源資安團體\u003C\u002Fli>\u003C\u002Ful>\u003Cp>我覺得這個組合很像在做一個資安版的聯合演練。只是這次的主角不是人類分析師，而是模型。問題也很直接：如果 AI 真的能穩定找出漏洞，那\u003Ca href=\"\u002Fnews\u002Fai-coding-tools-developers-use-at-work-zh\">開發\u003C\u002Fa>團隊的 code review、SAST、fuzzing，還要怎麼接？\u003C\u002Fp>\u003Ch2>為什麼這個時間點很敏感\u003C\u002Fh2>\u003Cp>Anthropic 的核心論點很直接。找漏洞的成本下降了。這句話聽起來很抽象，但放到實務上就很可怕。因為漏洞一直都在，只是以前要靠人一個個翻。現在如果模型能快速讀 code、推邏輯、試出 exploit 路徑，防守方就得跑得更快。\u003C\u002Fp>\u003Cp>公司提到全球每年網路犯罪成本大約 5000 億美元。這個數字當然很難精準，但方向很清楚。只要一個 browser、kernel、或 media library 出問題，影響範圍就可能是百萬台機器。AI 一旦能把找洞這件事自動化，攻防兩邊的速度差就會拉開。\u003C\u002Fp>\u003Cp>這裡最麻煩的地方，不是模型會不會寫程式，而是它會不會理解邊界條件。很多老漏洞都不是語法錯誤，而是狀態機、權限流、記憶體處理這種細節。人類看一遍可能覺得沒事，模型如果能連著幾層推下去，就可能直接找到弱點。\u003C\u002Fp>\u003Cblockquote>“The window between a vulnerability being discovered and being exploited by an adversary has collapsed—what once took months now happens in minutes with AI.” — Elia Zaitsev, Chief Technology Officer, CrowdStrike\u003C\u002Fblockquote>\u003Cp>這句話很毒，但也很實在。以前是人類追人類。現在是系統追系統。資安團隊如果還用老節奏，真的會被甩開。\u003C\u002Fp>\u003Ch2>數字怎麼看才有感\u003C\u002Fh2>\u003Cp>Anthropic 不是只丟口號。它還給了一組 benchmark 數字。\u003Ca href=\"https:\u002F\u002Fwww.cybergym.ai\" target=\"_blank\" rel=\"noopener\">CyberGym\u003C\u002Fa> 上，Mythos Preview 拿到 83.1%。同場的 Claude Opus 4.6 是 66.6%。這差距不小。對漏洞復現這類任務來說，幾個百分點都可能差很多，更別說差了 16.5 個百分點。\u003C\u002Fp>\n\u003Cfigure class=\"my-6\">\u003Cimg src=\"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1775693415726-ha15.png\" alt=\"Project Glasswing 讓 AI 專抓軟體漏洞\" class=\"rounded-xl w-full\" loading=\"lazy\" \u002F>\u003C\u002Ffigure>\n\u003Cp>更誇張的是，Anthropic 說模型已經在各大作業系統和瀏覽器中找出數千個 zero-day。它沒有一次公開全部細節，但已經透露部分案例。像 OpenBSD 的 27 年老洞，可以遠端讓機器當掉。FFmpeg 的 16 年漏洞，連跑了 500 萬次測試都沒抓到。Linux kernel 那個案例，則是從一般使用者權限一路升到完整控制。\u003C\u002Fp>\u003Cp>這些案例的共通點很簡單。它們都不是新 code 才會出事。相反地，越成熟的系統，越容易讓人放鬆警戒。大家會以為「這段早就測過了」。但 AI 的價值，剛好就是去翻這些被大家以為沒問題的角落。\u003C\u002Fp>\u003Cul>\u003Cli>CyberGym：83.1% 對 66.6%\u003C\u002Fli>\u003Cli>數千個 zero-day 被宣稱找到\u003C\u002Fli>\u003Cli>OpenBSD：27 年漏洞\u003C\u002Fli>\u003Cli>FFmpeg：16 年漏洞，測試跑 500 萬次仍漏掉\u003C\u002Fli>\u003Cli>Linux kernel：多步驟提權到完整控制\u003C\u002Fli>\u003C\u002Ful>\u003Cp>Anthropic 表示，這些漏洞都已通報維護者，部分已修補。它也先只公開加密雜湊，等修補完成再補更多技術細節。這個處理方式算合理。畢竟如果先把細節全放出去，等於幫攻擊者開地圖。\u003C\u002Fp>\u003Ch2>這跟其他 AI 工具有什麼差別\u003C\u002Fh2>\u003Cp>Glasswing 的重點，不是幫工程師多寫幾行 code。它是在做自動化漏洞研究。這和 \u003Ca href=\"https:\u002F\u002Fopenai.com\" target=\"_blank\" rel=\"noopener\">OpenAI\u003C\u002Fa> 的 \u003Ca href=\"https:\u002F\u002Fopenai.com\u002Findex\u002Fintroducing-codex\u002F\" target=\"_blank\" rel=\"noopener\">Codex\u003C\u002Fa>，或 \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Ffeatures\u002Fcopilot\" target=\"_blank\" rel=\"noopener\">GitHub Copilot\u003C\u002Fa> 的定位不太一樣。後兩者主要是提升生產力。Glasswing 則是直接往找洞、驗洞、甚至輔助生成 exploit 的方向走。\u003C\u002Fp>\u003Cp>這也讓資安廠商的態度很有看頭。\u003Ca href=\"https:\u002F\u002Fwww.crowdstrike.com\" target=\"_blank\" rel=\"noopener\">CrowdStrike\u003C\u002Fa>、\u003Ca href=\"https:\u002F\u002Fwww.microsoft.com\" target=\"_blank\" rel=\"noopener\">Microsoft\u003C\u002Fa>、\u003Ca href=\"https:\u002F\u002Fwww.paloaltonetworks.com\" target=\"_blank\" rel=\"noopener\">Palo Alto Networks\u003C\u002Fa> 都進場了，代表大公司不是只看簡報，而是願意把模型放進真實流程測試。這比單看 benchmark 更有份量。\u003C\u002Fp>\u003Cp>Linux Foundation 也在名單裡，這點很有意思。因為現代基礎設施很多都靠開源撐著。你每天用的伺服器、容器、網路堆疊，背後常常是少數維護者在扛。AI 如果真的能幫他們先抓 bug，效果會很直接。\u003C\u002Fp>\u003Cul>\u003Cli>Glasswing 走的是自動找洞路線\u003C\u002Fli>\u003Cli>Copilot 偏向寫 code 輔助\u003C\u002Fli>\u003Cli>Codex 偏向程式生成\u003C\u002Fli>\u003Cli>資安廠商已經開始實測\u003C\u002Fli>\u003Cli>開源專案是最大受益面之一\u003C\u002Fli>\u003C\u002Ful>\u003Cp>Linux Foundation 執行長 Jim Zemlin 的話很直白：“By \u003Ca href=\"\u002Fnews\u002Flogicmojo-ai-ml-coursework-github-zh\">gi\u003C\u002Fa>ving the maintainers of these critical open source codebases access to a new generation of AI models that can proactively identify and fix vulnerabilities at scale, Project Glasswing offers a credible path to changing that equation.” 這句英文不用翻太文青。重點就是，開源維護者終於有機會拿到一個會主動找洞的助手。\u003C\u002Fp>\u003Ch2>產業脈絡沒有那麼浪漫\u003C\u002Fh2>\u003Cp>資安圈其實一直都在追求自動化。從靜態分析、fuzzing、到 CI 裡的掃描工具，大家都想把人工判斷變少。問題是，傳統工具很會抓固定模式，卻常常看不懂複雜上下文。這也是為什麼很多老漏洞能活那麼久。\u003C\u002Fp>\u003Cp>AI 進來之後，情況變了。LLM 不一定懂所有程式語言細節，但它擅長跨段落推理。它可以看函式呼叫、狀態轉移、權限邏輯，再把可能的攻擊路徑串起來。這種能力，剛好補上傳統工具的空缺。\u003C\u002Fp>\u003Cp>但別高興太早。模型也可能誤報，也可能漏報。它找出來的東西，還是得靠人驗證。對台灣很多軟體團隊來說，真正的問題不是要不要用 AI，而是要怎麼把它接進既有流程。是放在 pre-commit、CI、還是 release 前的安全審查？這些都不是免費的。\u003C\u002Fp>\u003Cp>還有一個現實。攻擊者也會用同樣的模型。當找洞成本下降，防守方就不能只靠人力堆。你可以把這件事想成一場算力競賽。誰能更快掃、更多測、把修補流程縮短，誰就比較不容易被打穿。\u003C\u002Fp>\u003Ch2>接下來該盯什麼\u003C\u002Fh2>\u003Cp>我會先看三件事。第一，外部研究者能不能重現 Anthropic 的結果。第二，這些漏洞實際修補後，會不會真的降低風險。第三，Glasswing 會不會從少數大公司，擴散到一般開發團隊。\u003C\u002Fp>\u003Cp>如果這條路走得通，下一波變化可能不是更炫的 AI 聊天，而是每個 CI pipeline 都開始掛一個會找洞的模型。講白了，未來最值錢的不是只會寫 code 的 AI，而是能在 release 前先把你最爛的 bug 挖出來的 AI。你如果是做軟體或維運，現在就該想：你的程式碼，準備好被模型掃過一輪了嗎？\u003C\u002Fp>","Anthropic 的 Project Glasswing 讓 40+ 組織用 Claude Mythos Preview 找軟體漏洞，還宣稱已挖出數千個高風險弱點。","www.anthropic.com","https:\u002F\u002Fwww.anthropic.com\u002Fglasswing",null,"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1775693399168-0dhd.png",[13,14,15,16,17,18,19,20,21,22],"Anthropic","Project Glasswing","Claude Mythos Preview","軟體漏洞","AI 資安","zero-day","開源安全","Linux kernel","FFmpeg","OpenBSD","zh",0,false,"2026-04-09T00:09:44.848756+00:00","2026-04-09T00:09:44.613+00:00","done","321c0ca8-5c60-4740-8ee5-c8f478967ff1","project-glasswing-ai-software-bugs-zh","industry","f00e0143-9afd-4708-831d-e32365ac0157","published","2026-04-09T09:00:49.651+00:00",[36,38,39,41,43,45,47,49],{"name":17,"slug":37},"ai-資安",{"name":18,"slug":18},{"name":21,"slug":40},"ffmpeg",{"name":15,"slug":42},"claude-mythos-preview",{"name":22,"slug":44},"openbsd",{"name":20,"slug":46},"linux-kernel",{"name":13,"slug":48},"anthropic",{"name":14,"slug":50},"project-glasswing",{"id":32,"slug":52,"title":53,"language":54},"project-glasswing-ai-software-bugs-en","Project Glasswing puts AI to work on software bugs","en",[56,62,68,74,80,86],{"id":57,"slug":58,"title":59,"cover_image":60,"image_url":60,"created_at":61,"category":31},"cd078ce9-0a92-485a-b428-2f5523250a19","circles-agent-stack-targets-machine-speed-payments-zh","Circle 推出 Agent Stack，瞄準機器速度支付","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778871663628-uyk5.png","2026-05-15T19:00:44.16849+00:00",{"id":63,"slug":64,"title":65,"cover_image":66,"image_url":66,"created_at":67,"category":31},"96d96399-f674-4269-997a-cddfc34291a0","iren-signs-nvidia-ai-infrastructure-pact-zh","IREN 綁上 Nvidia AI 基建","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778871057561-bukp.png","2026-05-15T18:50:37.57206+00:00",{"id":69,"slug":70,"title":71,"cover_image":72,"image_url":72,"created_at":73,"category":31},"de12a36e-52f9-4bca-8deb-a41cf974ffd9","circle-agent-stack-ai-payments-zh","Circle 推出 Agent Stack 做 AI 付款","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778870462187-t9xv.png","2026-05-15T18:40:30.945394+00:00",{"id":75,"slug":76,"title":77,"cover_image":78,"image_url":78,"created_at":79,"category":31},"e6379f8a-3305-4862-bd15-1192d3247841","why-nebius-ai-pivot-is-more-real-than-hype-zh","為什麼 Nebius 的 AI 轉型比炒作更真實","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778823044520-9mfz.png","2026-05-15T05:30:24.978992+00:00",{"id":81,"slug":82,"title":83,"cover_image":84,"image_url":84,"created_at":85,"category":31},"66c4e357-d84d-43ef-a2e7-120c4609e98e","nvidia-backs-corning-factories-with-billions-zh","Nvidia 出資 Corning 工廠擴產","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778822450270-trdb.png","2026-05-15T05:20:27.701475+00:00",{"id":87,"slug":88,"title":89,"cover_image":90,"image_url":90,"created_at":91,"category":31},"31d8109c-8b0b-46e2-86bc-d274a03269d1","why-anthropic-gates-foundation-ai-public-goods-zh","為什麼 Anthropic 和 Gates Foundation 應該投資 A…","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778796636474-u508.png","2026-05-14T22:10:21.138177+00:00",[93,98,103,108,113,118,123,128,133,138],{"id":94,"slug":95,"title":96,"created_at":97},"ee073da7-28b3-4752-a319-5a501459fb87","ai-in-2026-what-actually-matters-now-zh","2026 AI 真正重要的事","2026-03-26T07:09:12.008134+00:00",{"id":99,"slug":100,"title":101,"created_at":102},"83bd1795-8548-44c9-9a7e-de50a0923f71","trump-ai-framework-power-speech-state-preemption-zh","川普 AI 框架瞄準電力、言論與州權","2026-03-26T07:12:18.695466+00:00",{"id":104,"slug":105,"title":106,"created_at":107},"ea6be18b-c903-4e54-97b7-5f7447a612e0","nvidia-gtc-2026-big-ai-announcements-zh","NVIDIA GTC 2026 重點拆解","2026-03-26T07:14:26.62638+00:00",{"id":109,"slug":110,"title":111,"created_at":112},"4bcec76f-4c36-4daa-909f-54cd702f7c93","claude-users-spreading-out-and-getting-better-zh","Claude 用戶更分散，也更會用","2026-03-26T07:22:52.325888+00:00",{"id":114,"slug":115,"title":116,"created_at":117},"bd903b15-2473-4178-9789-b7557816e535","openclaw-raises-hard-question-for-ai-models-zh","OpenClaw 逼問 AI 模型價值","2026-03-26T07:24:54.707486+00:00",{"id":119,"slug":120,"title":121,"created_at":122},"eeac6b9e-ad9d-4831-8eec-8bba3f9bca6a","gap-google-gemini-checkout-fashion-search-zh","Gap 把結帳搬進 Gemini","2026-03-26T07:28:23.937768+00:00",{"id":124,"slug":125,"title":126,"created_at":127},"0740e53f-605d-4d57-8601-c10beb126f3c","google-pushes-gemini-transition-to-march-2026-zh","Google 把 Gemini 轉換延到 2026 年 3…","2026-03-26T07:30:12.825269+00:00",{"id":129,"slug":130,"title":131,"created_at":132},"e660d801-2421-4529-8fa9-86b82b066990","metas-llama-4-benchmark-scandal-gets-worse-zh","Meta Llama 4 分數風波又擴大","2026-03-26T07:34:21.156421+00:00",{"id":134,"slug":135,"title":136,"created_at":137},"183f9e7c-e143-40bb-a6d5-67ba84a3a8bc","accenture-mistral-ai-sovereign-enterprise-deal-zh","Accenture 攜手 Mistral AI 賣主權 AI","2026-03-26T07:38:14.818906+00:00",{"id":139,"slug":140,"title":141,"created_at":142},"191d9b1b-768a-478c-978c-dd7431a38149","mistral-ai-faces-its-hardest-year-yet-zh","Mistral AI 迎來最硬的一年","2026-03-26T07:40:23.716374+00:00"]