[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"article-project-glasswing-ai-software-bugs-zh":3,"article-related-project-glasswing-ai-software-bugs-zh":30,"series-industry-8ff05ee3-542c-4a90-af18-875d1b009a5b":88},{"id":4,"slug":5,"title":6,"content":7,"summary":8,"source":9,"source_url":10,"author":11,"image_url":12,"cover_image":12,"category":13,"language":14,"translated_content":11,"related_article_id":15,"keywords":16,"key_takeaways":11,"views":27,"created_at":28,"published_at":29,"topic_cluster_id":11},"8ff05ee3-542c-4a90-af18-875d1b009a5b","project-glasswing-ai-software-bugs-zh","Project Glasswing 讓 AI 專抓軟體漏洞","\u003Cp>\u003Ca href=\"https:\u002F\u002Fwww.anthropic.com\u002Fglasswing\" target=\"_blank\" rel=\"noopener\">Anthropic\u003C\u002Fa> 這次丟出的 Project Glasswing，數字很硬。12 家主要合作夥伴，40 多個額外組織，還有最高 1 億美元的使用額度。更猛的是，\u003Ca href=\"https:\u002F\u002Fwww.anthropic.com\u002Fnews\u002Fclaude-mythos-preview\" target=\"_blank\" rel=\"noopener\">Claude Mythos Preview\u003C\u002Fa> 還被拿來找軟體漏洞，據稱已經挖出數千個高風險問題。\u003C\u002Fp>\u003Cp>講白了，這不是單純的 AI demo。它是在把 LLM 直接丟進資安現場。從 \u003Ca href=\"https:\u002F\u002Fwww.anthropic.com\" target=\"_blank\" rel=\"noopener\">Anthropic\u003C\u002Fa> 的說法來看，AI 已經能幫忙找出老到離譜的 bug。像 OpenBSD 的 27 年漏洞、FFmpeg 的 16 年漏洞，還有 Linux kernel 的多步驟提權鏈，都被模型抓出來。這種事很難不讓人皺眉。\u003C\u002Fp>\u003Ch2>Project Glasswing 到底在做什麼\u003C\u002Fh2>\u003Cp>Glasswing 的定位很明確。它不是要做一個更會寫 code 的聊天機器人。它要做的是，把前沿模型的資安能力，直接塞進防禦流程裡。這種做法很像把 AI 從辦公室拉去值夜班，專門盯那些人類容易漏掉的角落。\u003C\u002Fp>\n\u003Cfigure class=\"my-6\">\u003Cimg src=\"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1775693399168-0dhd.png\" alt=\"Project Glasswing 讓 AI 專抓軟體漏洞\" class=\"rounded-xl w-full\" loading=\"lazy\" \u002F>\u003C\u002Ffigure>\n\u003Cp>第一批合作夥伴名單也很有意思。裡面有 \u003Ca href=\"https:\u002F\u002Faws.amazon.com\" target=\"_blank\" rel=\"noopener\">Amazon Web Services\u003C\u002Fa>、\u003Ca href=\"https:\u002F\u002Fwww.apple.com\" target=\"_blank\" rel=\"noopener\">Apple\u003C\u002Fa>、\u003Ca href=\"https:\u002F\u002Fwww.broadcom.com\" target=\"_blank\" rel=\"noopener\">Broadcom\u003C\u002Fa>、\u003Ca href=\"https:\u002F\u002Fwww.cisco.com\" target=\"_blank\" rel=\"noopener\">Cisco\u003C\u002Fa>、\u003Ca href=\"https:\u002F\u002Fwww.crowdstrike.com\" target=\"_blank\" rel=\"noopener\">CrowdStrike\u003C\u002Fa>、\u003Ca href=\"https:\u002F\u002Fcloud.google.com\" target=\"_blank\" rel=\"noopener\">Google Cloud\u003C\u002Fa>、\u003Ca href=\"https:\u002F\u002Fwww.jpmorganchase.com\" target=\"_blank\" rel=\"noopener\">JPMorganChase\u003C\u002Fa>、\u003Ca href=\"https:\u002F\u002Fwww.linuxfoundation.org\" target=\"_blank\" rel=\"noopener\">Linux Foundation\u003C\u002Fa>、\u003Ca href=\"https:\u002F\u002Fwww.microsoft.com\" target=\"_blank\" rel=\"noopener\">Microsoft\u003C\u002Fa>、\u003Ca href=\"https:\u002F\u002Fwww.nvidia.com\" target=\"_blank\" rel=\"noopener\">NVIDIA\u003C\u002Fa>，還有 \u003Ca href=\"https:\u002F\u002Fwww.paloaltonetworks.com\" target=\"_blank\" rel=\"noopener\">Palo Alto Networks\u003C\u002Fa>。這些名字不是來站台而已。它們掌握雲端、晶片、端點、網路和作業系統的核心場景。\u003C\u002Fp>\u003Cp>\u003Ca href=\"\u002Fnews\u002Fanthropic-claude-mythos-preview-meaning-zh\">Anth\u003C\u002Fa>ropic 還開放給 40 多個其他組織使用。重點是，這些組織多半在維護關鍵基礎設施軟體。也就是說，AI 不是只掃自家產品，還會掃第一方程式碼和開源專案。Anthropic 另外還砸了最高 1 億美元的使用額度，外加 400 萬美元直接捐給開源資安團體。這筆錢不小，至少表示它不是隨便玩玩。\u003C\u002Fp>\u003Cul>\u003Cli>12 家合作夥伴先上車\u003C\u002Fli>\u003Cli>40+ 組織拿到使用權\u003C\u002Fli>\u003Cli>最高 1 億美元額度\u003C\u002Fli>\u003Cli>400 萬美元給開源資安團體\u003C\u002Fli>\u003C\u002Ful>\u003Cp>我覺得這個組合很像在做一個資安版的聯合演練。只是這次的主角不是人類分析師，而是模型。問題也很直接：如果 AI 真的能穩定找出漏洞，那\u003Ca href=\"\u002Fnews\u002Fai-coding-tools-developers-use-at-work-zh\">開發\u003C\u002Fa>團隊的 code review、SAST、fuzzing，還要怎麼接？\u003C\u002Fp>\u003Ch2>為什麼這個時間點很敏感\u003C\u002Fh2>\u003Cp>Anthropic 的核心論點很直接。找漏洞的成本下降了。這句話聽起來很抽象，但放到實務上就很可怕。因為漏洞一直都在，只是以前要靠人一個個翻。現在如果模型能快速讀 code、推邏輯、試出 exploit 路徑，防守方就得跑得更快。\u003C\u002Fp>\u003Cp>公司提到全球每年網路犯罪成本大約 5000 億美元。這個數字當然很難精準，但方向很清楚。只要一個 browser、kernel、或 media library 出問題，影響範圍就可能是百萬台機器。AI 一旦能把找洞這件事自動化，攻防兩邊的速度差就會拉開。\u003C\u002Fp>\u003Cp>這裡最麻煩的地方，不是模型會不會寫程式，而是它會不會理解邊界條件。很多老漏洞都不是語法錯誤，而是狀態機、權限流、記憶體處理這種細節。人類看一遍可能覺得沒事，模型如果能連著幾層推下去，就可能直接找到弱點。\u003C\u002Fp>\u003Cblockquote>“The window between a vulnerability being discovered and being exploited by an adversary has collapsed—what once took months now happens in minutes with AI.” — Elia Zaitsev, Chief Technology Officer, CrowdStrike\u003C\u002Fblockquote>\u003Cp>這句話很毒，但也很實在。以前是人類追人類。現在是系統追系統。資安團隊如果還用老節奏，真的會被甩開。\u003C\u002Fp>\u003Ch2>數字怎麼看才有感\u003C\u002Fh2>\u003Cp>Anthropic 不是只丟口號。它還給了一組 benchmark 數字。\u003Ca href=\"https:\u002F\u002Fwww.cybergym.ai\" target=\"_blank\" rel=\"noopener\">CyberGym\u003C\u002Fa> 上，Mythos Preview 拿到 83.1%。同場的 Claude Opus 4.6 是 66.6%。這差距不小。對漏洞復現這類任務來說，幾個百分點都可能差很多，更別說差了 16.5 個百分點。\u003C\u002Fp>\n\u003Cfigure class=\"my-6\">\u003Cimg src=\"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1775693415726-ha15.png\" alt=\"Project Glasswing 讓 AI 專抓軟體漏洞\" class=\"rounded-xl w-full\" loading=\"lazy\" \u002F>\u003C\u002Ffigure>\n\u003Cp>更誇張的是，Anthropic 說模型已經在各大作業系統和瀏覽器中找出數千個 zero-day。它沒有一次公開全部細節，但已經透露部分案例。像 OpenBSD 的 27 年老洞，可以遠端讓機器當掉。FFmpeg 的 16 年漏洞，連跑了 500 萬次測試都沒抓到。Linux kernel 那個案例，則是從一般使用者權限一路升到完整控制。\u003C\u002Fp>\u003Cp>這些案例的共通點很簡單。它們都不是新 code 才會出事。相反地，越成熟的系統，越容易讓人放鬆警戒。大家會以為「這段早就測過了」。但 AI 的價值，剛好就是去翻這些被大家以為沒問題的角落。\u003C\u002Fp>\u003Cul>\u003Cli>CyberGym：83.1% 對 66.6%\u003C\u002Fli>\u003Cli>數千個 zero-day 被宣稱找到\u003C\u002Fli>\u003Cli>OpenBSD：27 年漏洞\u003C\u002Fli>\u003Cli>FFmpeg：16 年漏洞，測試跑 500 萬次仍漏掉\u003C\u002Fli>\u003Cli>Linux kernel：多步驟提權到完整控制\u003C\u002Fli>\u003C\u002Ful>\u003Cp>Anthropic 表示，這些漏洞都已通報維護者，部分已修補。它也先只公開加密雜湊，等修補完成再補更多技術細節。這個處理方式算合理。畢竟如果先把細節全放出去，等於幫攻擊者開地圖。\u003C\u002Fp>\u003Ch2>這跟其他 AI 工具有什麼差別\u003C\u002Fh2>\u003Cp>Glasswing 的重點，不是幫工程師多寫幾行 code。它是在做自動化漏洞研究。這和 \u003Ca href=\"https:\u002F\u002Fopenai.com\" target=\"_blank\" rel=\"noopener\">OpenAI\u003C\u002Fa> 的 \u003Ca href=\"https:\u002F\u002Fopenai.com\u002Findex\u002Fintroducing-codex\u002F\" target=\"_blank\" rel=\"noopener\">Codex\u003C\u002Fa>，或 \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Ffeatures\u002Fcopilot\" target=\"_blank\" rel=\"noopener\">GitHub Copilot\u003C\u002Fa> 的定位不太一樣。後兩者主要是提升生產力。Glasswing 則是直接往找洞、驗洞、甚至輔助生成 exploit 的方向走。\u003C\u002Fp>\u003Cp>這也讓資安廠商的態度很有看頭。\u003Ca href=\"https:\u002F\u002Fwww.crowdstrike.com\" target=\"_blank\" rel=\"noopener\">CrowdStrike\u003C\u002Fa>、\u003Ca href=\"https:\u002F\u002Fwww.microsoft.com\" target=\"_blank\" rel=\"noopener\">Microsoft\u003C\u002Fa>、\u003Ca href=\"https:\u002F\u002Fwww.paloaltonetworks.com\" target=\"_blank\" rel=\"noopener\">Palo Alto Networks\u003C\u002Fa> 都進場了，代表大公司不是只看簡報，而是願意把模型放進真實流程測試。這比單看 benchmark 更有份量。\u003C\u002Fp>\u003Cp>Linux Foundation 也在名單裡，這點很有意思。因為現代基礎設施很多都靠開源撐著。你每天用的伺服器、容器、網路堆疊，背後常常是少數維護者在扛。AI 如果真的能幫他們先抓 bug，效果會很直接。\u003C\u002Fp>\u003Cul>\u003Cli>Glasswing 走的是自動找洞路線\u003C\u002Fli>\u003Cli>Copilot 偏向寫 code 輔助\u003C\u002Fli>\u003Cli>Codex 偏向程式生成\u003C\u002Fli>\u003Cli>資安廠商已經開始實測\u003C\u002Fli>\u003Cli>開源專案是最大受益面之一\u003C\u002Fli>\u003C\u002Ful>\u003Cp>Linux Foundation 執行長 Jim Zemlin 的話很直白：“By \u003Ca href=\"\u002Fnews\u002Flogicmojo-ai-ml-coursework-github-zh\">gi\u003C\u002Fa>ving the maintainers of these critical open source codebases access to a new generation of AI models that can proactively identify and fix vulnerabilities at scale, Project Glasswing offers a credible path to changing that equation.” 這句英文不用翻太文青。重點就是，開源維護者終於有機會拿到一個會主動找洞的助手。\u003C\u002Fp>\u003Ch2>產業脈絡沒有那麼浪漫\u003C\u002Fh2>\u003Cp>資安圈其實一直都在追求自動化。從靜態分析、fuzzing、到 CI 裡的掃描工具，大家都想把人工判斷變少。問題是，傳統工具很會抓固定模式，卻常常看不懂複雜上下文。這也是為什麼很多老漏洞能活那麼久。\u003C\u002Fp>\u003Cp>AI 進來之後，情況變了。LLM 不一定懂所有程式語言細節，但它擅長跨段落推理。它可以看函式呼叫、狀態轉移、權限邏輯，再把可能的攻擊路徑串起來。這種能力，剛好補上傳統工具的空缺。\u003C\u002Fp>\u003Cp>但別高興太早。模型也可能誤報，也可能漏報。它找出來的東西，還是得靠人驗證。對台灣很多軟體團隊來說，真正的問題不是要不要用 AI，而是要怎麼把它接進既有流程。是放在 pre-commit、CI、還是 release 前的安全審查？這些都不是免費的。\u003C\u002Fp>\u003Cp>還有一個現實。攻擊者也會用同樣的模型。當找洞成本下降，防守方就不能只靠人力堆。你可以把這件事想成一場算力競賽。誰能更快掃、更多測、把修補流程縮短，誰就比較不容易被打穿。\u003C\u002Fp>\u003Ch2>接下來該盯什麼\u003C\u002Fh2>\u003Cp>我會先看三件事。第一，外部研究者能不能重現 Anthropic 的結果。第二，這些漏洞實際修補後，會不會真的降低風險。第三，Glasswing 會不會從少數大公司，擴散到一般開發團隊。\u003C\u002Fp>\u003Cp>如果這條路走得通，下一波變化可能不是更炫的 AI 聊天，而是每個 CI pipeline 都開始掛一個會找洞的模型。講白了，未來最值錢的不是只會寫 code 的 AI，而是能在 release 前先把你最爛的 bug 挖出來的 AI。你如果是做軟體或維運，現在就該想：你的程式碼，準備好被模型掃過一輪了嗎？\u003C\u002Fp>","Anthropic 的 Project Glasswing 讓 40+ 組織用 Claude Mythos Preview 找軟體漏洞，還宣稱已挖出數千個高風險弱點。","www.anthropic.com","https:\u002F\u002Fwww.anthropic.com\u002Fglasswing",null,"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1775693399168-0dhd.png","industry","zh","f00e0143-9afd-4708-831d-e32365ac0157",[17,18,19,20,21,22,23,24,25,26],"Anthropic","Project Glasswing","Claude Mythos Preview","軟體漏洞","AI 資安","zero-day","開源安全","Linux kernel","FFmpeg","OpenBSD",2,"2026-04-09T00:09:44.848756+00:00","2026-04-09T00:09:44.613+00:00",{"tags":31,"relatedLang":47,"relatedPosts":51},[32,34,35,37,39,41,43,45],{"name":21,"slug":33},"ai-資安",{"name":22,"slug":22},{"name":36,"slug":36},"ffmpeg",{"name":19,"slug":38},"claude-mythos-preview",{"name":26,"slug":40},"openbsd",{"name":24,"slug":42},"linux-kernel",{"name":17,"slug":44},"anthropic",{"name":18,"slug":46},"project-glasswing",{"id":15,"slug":48,"title":49,"language":50},"project-glasswing-ai-software-bugs-en","Project Glasswing puts AI to work on software bugs","en",[52,58,64,70,76,82],{"id":53,"slug":54,"title":55,"cover_image":56,"image_url":56,"created_at":57,"category":13},"944aacaa-7f1b-4a11-8390-768b2a89c607","anthropic-partner-network-enterprise-ready-zh","Anthropic 讓夥伴網路變企業級","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1780524191103-89dy.png","2026-06-03T22:02:45.952347+00:00",{"id":59,"slug":60,"title":61,"cover_image":62,"image_url":62,"created_at":63,"category":13},"fc8eafb2-1d73-468c-a784-1279f4732ea2","7-build-2026-announcements-for-microsoft-watchers-zh","7 個 Build 2026 觀察重點","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1780523288803-hs3b.png","2026-06-03T21:47:43.306492+00:00",{"id":65,"slug":66,"title":67,"cover_image":68,"image_url":68,"created_at":69,"category":13},"6d2568ba-f5d3-41b3-8111-9fe820613e84","why-microsoft-new-ai-models-break-openai-dependence-zh","為什麼微軟自建 AI 模型，才是擺脫 OpenAI 依賴的正確路線","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1780522384832-8cbv.png","2026-06-03T21:32:24.837196+00:00",{"id":71,"slug":72,"title":73,"cover_image":74,"image_url":74,"created_at":75,"category":13},"e9a0851d-34e0-46c8-8ec0-661de6e628bc","nike-mcdonalds-sneaker-drop-desert-hunt-zh","為什麼 Nike 和 McDonald’s 把球鞋發表做成沙漠尋寶","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1780512474179-wpn9.png","2026-06-03T18:47:23.262279+00:00",{"id":77,"slug":78,"title":79,"cover_image":80,"image_url":80,"created_at":81,"category":13},"c09600da-ac41-403d-b17a-b44c61d4b4c8","hartenstein-knicks-quote-clean-recap-zh","Hartenstein 這句話怎麼拆成乾淨 recap","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1780509792468-kdul.png","2026-06-03T18:02:47.679684+00:00",{"id":83,"slug":84,"title":85,"cover_image":86,"image_url":86,"created_at":87,"category":13},"fbeae011-dff8-4a96-935b-8c85fbbfb95a","why-thunder-should-keep-isaiah-hartenstein-zh","為什麼雷霆應該留下 Isaiah Hartenstein","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1780508870211-j7jr.png","2026-06-03T17:47:23.43928+00:00",[89,94,99,104,109,114,119,124,129,134],{"id":90,"slug":91,"title":92,"created_at":93},"ee073da7-28b3-4752-a319-5a501459fb87","ai-in-2026-what-actually-matters-now-zh","2026 AI 真正重要的事","2026-03-26T07:09:12.008134+00:00",{"id":95,"slug":96,"title":97,"created_at":98},"83bd1795-8548-44c9-9a7e-de50a0923f71","trump-ai-framework-power-speech-state-preemption-zh","川普 AI 框架瞄準電力、言論與州權","2026-03-26T07:12:18.695466+00:00",{"id":100,"slug":101,"title":102,"created_at":103},"ea6be18b-c903-4e54-97b7-5f7447a612e0","nvidia-gtc-2026-big-ai-announcements-zh","NVIDIA GTC 2026 重點拆解","2026-03-26T07:14:26.62638+00:00",{"id":105,"slug":106,"title":107,"created_at":108},"4bcec76f-4c36-4daa-909f-54cd702f7c93","claude-users-spreading-out-and-getting-better-zh","Claude 用戶更分散，也更會用","2026-03-26T07:22:52.325888+00:00",{"id":110,"slug":111,"title":112,"created_at":113},"bd903b15-2473-4178-9789-b7557816e535","openclaw-raises-hard-question-for-ai-models-zh","OpenClaw 逼問 AI 模型價值","2026-03-26T07:24:54.707486+00:00",{"id":115,"slug":116,"title":117,"created_at":118},"eeac6b9e-ad9d-4831-8eec-8bba3f9bca6a","gap-google-gemini-checkout-fashion-search-zh","Gap 把結帳搬進 Gemini","2026-03-26T07:28:23.937768+00:00",{"id":120,"slug":121,"title":122,"created_at":123},"0740e53f-605d-4d57-8601-c10beb126f3c","google-pushes-gemini-transition-to-march-2026-zh","Google 把 Gemini 轉換延到 2026 年 3…","2026-03-26T07:30:12.825269+00:00",{"id":125,"slug":126,"title":127,"created_at":128},"e660d801-2421-4529-8fa9-86b82b066990","metas-llama-4-benchmark-scandal-gets-worse-zh","Meta Llama 4 分數風波又擴大","2026-03-26T07:34:21.156421+00:00",{"id":130,"slug":131,"title":132,"created_at":133},"183f9e7c-e143-40bb-a6d5-67ba84a3a8bc","accenture-mistral-ai-sovereign-enterprise-deal-zh","Accenture 攜手 Mistral AI 賣主權 AI","2026-03-26T07:38:14.818906+00:00",{"id":135,"slug":136,"title":137,"created_at":138},"191d9b1b-768a-478c-978c-dd7431a38149","mistral-ai-faces-its-hardest-year-yet-zh","Mistral AI 迎來最硬的一年","2026-03-26T07:40:23.716374+00:00"]