You do understand this is more akin to white hat testing, right?
Those who want to exploit this will do it anyway, except they won’t publish the result. By making the exploit public, the risk will be known if not mitigated.
I’m admittedly not knowledgeable in White Hat Hacking, but are you supposed to publicize the vulnerability, release a shortcut to exploit it telling people to ‘enjoy’, or even call the vulnerability handy ?
That sort of depends on the situation. Responsible disclosure is for if there is some relevant security hole that is an actual risk to businesses and people, while this here is just “haha look LLMs can now better pretend to write good text if you tell it to”. That’s not really responsible disclosurable. It’s not even specific to one singular product.
You do understand this is more akin to white hat testing, right?
Those who want to exploit this will do it anyway, except they won’t publish the result. By making the exploit public, the risk will be known if not mitigated.
I’m admittedly not knowledgeable in White Hat Hacking, but are you supposed to publicize the vulnerability, release a shortcut to exploit it telling people to ‘enjoy’, or even call the vulnerability handy ?
Responsible disclosure is what a white hat does. You report the bug to whomever is the party responsible for patching and give them time to fix it.
That sort of depends on the situation. Responsible disclosure is for if there is some relevant security hole that is an actual risk to businesses and people, while this here is just “haha look LLMs can now better pretend to write good text if you tell it to”. That’s not really responsible disclosurable. It’s not even specific to one singular product.
Considering the “vulnerability” here is on the level of “don’t use
passwordas your password” - yeah, releasing it all is exactly the right step.