From the article: >At AISLE, we've been running a discovery and remediation system against live targets since mid-2025: 15 CVEs in OpenSSL (including 12 out of 12 in a single security release, with bugs dating back 25+ years and a CVSS 9.8 Critical), 5 CVEs in curl, over 180 externally validated CVEs across 30+ projects spanning deep infrastructure, cryptography, middleware, and the application layer.

They have been doing it (and likely others as well), but they are not anthropic which a million dollar marketing budget and a trillion dollar hype behind it, so you just didn't hear about it.

They could have linked their replication in this blog post, which we did all see, if they have one.

I explained why this won't work elsewhere in the thread[1].

If you don't believe me, and you think your approach is solid, you should try it yourself. It's only a couple of dollars, and it would be extremely popular -- just look at how popular this article, using improper methodology, was! Hey, maybe you're right, and you can prove us all wrong. But I'd bet you on great odds that you're not.

[1]: https://news.ycombinator.com/item?id=47734710

From the article:

>At AISLE, we've been running a discovery and remediation system against live targets since mid-2025: 15 CVEs in OpenSSL (including 12 out of 12 in a single security release, with bugs dating back 25+ years and a CVSS 9.8 Critical), 5 CVEs in curl, over 180 externally validated CVEs across 30+ projects spanning deep infrastructure, cryptography, middleware, and the application layer.

So there is pretty good evidence that yes you can use this approach. In fact I would wager that running a more systematic approach will yield better results than just bruteforcing, by running the biggest model across everything. It definitely will be cheaper.

I think that's the point. The owner of X as well as most of the remaining denizens are actively working on taking away the freedom of others to believe in their own views and make them adhere to their beliefs.

I find that a weird sentiment. Why do people demand to know and control how every one of their donations goes, while nobody questions how corporations use their money. Ironically, the demand for this increased transparency significantly increases compliance cost, which means more and more money is driven away from the actual cause toward the administrative costs. Exactly what people don't want to support.

The defining difference about paying money to a corporation in exchange for a product is you're paying for something already there, an agreed exchange of value. The whole point about a donation is it's given not in exchange for doing any particular task, but gratuitously.

It's not a weird sentiment to want to know what benefits a gift is providing. That's all people are asking for when they want transparency around donations: tell us how you're benefiting from it so we can feel good about gifting you.

Is it necessary? No. The point being made is that people would be happier and potentially gift more if there was more transparency. If your argument is transparency costs more than the extra gifts then the solution to that is - ironically - be transparent about it and people might gift means to make transparency cheaper and make donations viable.

US nonprofits are as transparent as can get. Their tax returns have to be public record by law. Maybe a press release shared to Hacker News doesn't have the information you want, but you can call them up any time you please and get a detailed categorized line items of everything they spend money on, or use any number of aggregator services that publish IRS Form-990s for free on the web. You can also get it directly from the IRS itself, which has a searchable database. Here is Mozilla's tax return for 2024: https://apps.irs.gov/pub/epostcard/cor/200097189_202412_990_...

> It's not a weird sentiment to want to know what benefits a gift is providing.

"I bought you tickets for your favorite artist for your birthday. I expect a detailed trip report" :)

Yes, you're right, personal gifts aren't donations, but then maybe we should stop calling donations gifts, too. Gifts are given without any expectations attached. Donations do and should have expectations.

Nobody rationally expects a detailed trip report in exchange for some tickets.

But nobody wants to hear that they gave those tickets to their pimp, either.

If Thunderbird required users to sign up for an annual subscription, then that specific problem -- not being able to tell what good one's payment would do -- would go away. There would be a very specific reason to pay the money.

(In practice, they presumably couldn't do that, at least not effectively, because the code is open source and someone else could fork it. But let's imagine that somehow they could require all Thunderbird users to pay them.)

That doesn't, of course, mean that it would be better overall. Thunderbird users would go from getting Thunderbird for free and maybe having reason to donate some money, to having to pay some money just to keep the ability to use Thunderbird: obviously worse for them. There'd probably be more money available for Thunderbird development, which would be good. The overall result might be either good or bad. But it would, indeed, no longer be unclear whether and why a Thunderbird user might choose to pay money to the Thunderbird project.

Aside, they should. This thread is a good example of how groveling for donations distorts what should be a simple transaction.

Instead, people act like they're buying in to a 50% share with their $5 and then act like they cofounded the project forever after the donation.

> Instead, people act like they're buying in to a 50% share with their $5 and then act like they cofounded the project forever after the donation.

You've twisted the timing. My comment is about

"Give me money." "Okay, tell me why I should give you money."

not

"I gave you money. Tell me what you did with it." It's a big difference. It's easy for me to just not give them money if I don't know what I'm donating to.

Those two examples map to the first and second parts of my claim.

Though I'm making a general reflection rather than trying to antagonize any individual here. I was already thinking about this when clicking into TFA to see that yes, it's another donation beg.

The answer to the person I replied to is basically: yes.

There's a nit in human psychology between mutual transactions (even lopsided against our favor) and voluntary unilateral ones (like donations) where the latter results in disproportionate scrutiny and entitlement compared to the former.

I once started accepting donations on my forum. I noticed people acted like they were about to make the grandest gesture in the world, would I be so lucky to deserve it after answering their questions despite having built a forum they spend four hours a day on. (They gave me $5)

And once they donated, they saw themselves as a boardmember-like persona with veto power and a disproportionate say on what I do, often pointing out that they're a donor. (They gave me $5)

I'm exaggerating a bit to paint a picture of what I mean. I think it's all unintentional, and they might be embarrassed if I'd told them this.

But I ended up refunding everyone after a while.

Yet when I charged $5 to let users expand their PM inbox size or max avatar resolution, nobody ever brought it up. They understood the transaction ended there. What is the $5 used for? -- What do you mean? It doubled my PM inbox size.

It's a funny quirk of our brain. I think a license purchase aligns expectations much more than groveling for donations, and it creates a natural freemium model for open source (or source-available rather?) projects.

When you're shopping for a paid product, you're generally trying to minimize your costs (while balancing quality). When you're donating to a free product, you're actually trying to maximize the effectiveness of your donation. If you were simply trying to minimize your cost/benefit ratio, you would donate nothing. Clearly there is a totally different mentality at play.

Consider it also from the recipient's perspective. Their benefactors are more likely to donate more money when they believe it will be put to good use. It's a complicated messaging problem, but being vague is probably not in your best interest.

People are generally happier to donate money to a charity if they know it will go to a good cause, and not the CEO's seven million dollar salary.

It also isn't that unusual for donations to be ring fenced for certain things.

Exactly. I decided to never donate to Wikipedia again after learning that wikipedia took some of that donated money and redonated it to other companies.

It felt like a betrayal to me.

Not that I think the other companies were bad, but if they have so much money they're giving it away to other people then they obviously don't need my money anymore.

If they wanted people to give other companies money then why didn't they have a separate different begging drive for those companies instead of just deciding, "Well, this is my money now, given to me to keep the site running and our employees paid, I'm going to give it away instead of using for the purpose that I literally begged it for".

and their globe-trotting for their "foundation". yeah let's donate $20 to buy 2 gal of kerosene for your private jet to $COUNTRY. no way

The reason "nobody questions how corporations use their money" is that in 99.9% of cases when I pay a corporation money for a product, I'm doing it not for the sake of what they can do with the money, but because otherwise I don't get to use the product, at least not legally.

If instead I donate to an open-source project, I'm not doing it in order to get access to the product; I already have that. I'm doing it because I hope they will do something with the money that I value. (Possible examples: Developing new features I like. Rewarding people who already developed features I liked. Activism for causes I approve of. Continuing to provide something that benefits everyone and not just me.)

And so I care a lot what they're going to do with the money, in a way I don't if I (say) pay money to Microsoft in exchange for the right to use Microsoft Office. Because what they're going to do with the money determines what point there is in my giving it.

Sometimes, everything the project does is stuff I think is valuable (for me or for the world). In that case I don't need to ask exactly what they're doing. Sometimes, it's obvious that what happens to the money is that it goes into the developer's pockets and they get to do what they like with it. In that case, I'll donate if the point of my donation is to reward someone who is doing something I'm glad they're doing, and probably not otherwise.

In the case of Thunderbird, it's maybe not so obvious. Probably the money will go toward implementing Thunderbird features and bug fixes, but looking at the history of Firefox I might worry that that's going to mean "AI integrations that actual users mostly don't want" or "implementing advertising to help raise funds", and I might have a variety of attitudes to those things. Or it might go toward some sort of internet activism, and again I might have a variety of attitudes to that depending on exactly what they're agitating for. Or maybe I might worry that the money will mostly end up helping to pay the salary of the CEO of Mozilla. (I don't think that's actually possible, but I can imagine situations where Mozilla wants some things done, and if they can pay for them via donations rather than using the company's money they'll do so, so that the net effect of donating is simply to increase Mozilla's profits.)

And I don't think anyone's asking for anything very burdensome in the way of transparency. Just more than, well, nothing at all which is what we have at the moment. The text on the actual page says literally nothing beyond "help keep Thunderbird alive". The FAQ says "Thunderbird is the leading open source email and productivity app that is free for business and personal use. Your gift helps ensure it stays that way, and supports ongoing development." which tells us almost nothing. And "MZLA Technologies Corporation is a wholly owned for-profit subsidiary of the Mozilla Foundation and the home of Thunderbird." which tells us that donations go to a for-profit subsidiary of the Mozilla Foundation (which I believe is the same entity that owns the Mozilla Corporation, but like most people I am not an expert on this stuff and don't know what that means in practice about how the Mozilla Foundation, the Mozilla Corporation and MZLA Technologies Corporation actually work together).

Maybe donated money will lead to MZLA Technologies Corporation hiring more developers or paying existing developers more? Maybe it'll be used to buy equipment, or licences for patented stuff? Maybe it'll be used to advertise Thunderbird and get it more users? Maybe it'll be used to agitate for the use of open email standards or something like that? Maybe. Maybe some other thing entirely. There's no way to get any inkling.

This in a larger perspective at least, IS a problem for NGO:s from what i know. That donors seems to be much more careful where they money go when its in the form of a donation. I dont know about open source project specifics here. I totally get what you mean and probably mostly agree as well, but the money you give to corporations have consequences as well. You can for example fund a company you have strong moral disagreements with without knowing or miss a company that you would want to support for the opposite reasons.

With that said I also think we should expect more then "it helps fund the development". Its not that difficult to write a couple paragraphs more and be a little more specific. Then again, maybe they get so little in donations that they cant really say how the money will be used and its more of a "buy me a beer" type of thing to keep the developers happy. Unless suddenly people start giving more and a developer actually could invest more hours in the project.

Mozilla and Wikipedia for example are causes I support. But why would I give money to them if they are going to turn around and give money to some cause I don't support (OR am actively against)? These non-profits love to shuffle money around to unrelated causes. As a non profit, supporting open source software, I think expecting a large percentage of the donation to go to engineering and not admin, social causes, etc. is a reasonable expectation.

Assuming there is a healthy market, then you have alternatives you can purchase your products and goods from. These alternatives may have other trade-offs and in fact, there may well be open and closed alternatives as well as hybrid options.

Some people simply want the "best fit" solution for a product. IMO, this used to be Outlook+Exchange, hands down... M365 scaling has enshittified the bundle in a lot of ways leaving a wide gap for alternatives. Google's GMail is a leading alternative that is a closed service. Thunderbird is an open solution that solves part of the problem (shared calendars/contacts only having half the solution).

When you pay for a product, you often are able to give feedback and request for features... the expectation is that you are getting value for what you are paying and that the company continues to do so while adding features that add more value in time.

When you donate to an open-source project, and that project redirects funds to have a multi-million dollar marketing event that only benefits middle managers and seeks to add revenue with features the majority of donors oppose, then someone who would otherwise support the development might rightly feel a bit betrayed or choose not to donate altogether, much like someone might not purchase a given product or service from a company that does what they feel are bad things.

It's not dramatically different, it's just when/where the individual might expect a level of transparency, value or direction. A purchase is against existing value... a donation is against future value.

I think we're talking past each other. I am not saying that people shouldn't be upset that if they donate to an organization that a large portion of that money might go to things they rather that organization not do. Like a $100 donation might have $20 of overhead or waste.

What I don't get is why people don't think the same for for-profit enterprises. If I spend $120 a year on some SaaS, I don't ask what portion of that goes into the CEOs pocket who might use that money to buy politicians to advance tax policy they prefer, or government contracts against the public interest, etc.

It's not about the expected value of a product, it's about what else your money funds when you hand it over to a corporation that people rarely consider. They should consider it just as much as they consider donations to non-profits.

Also, the assumption of a healthy market is not one I would take. A lot of corporate money is spent on regulatory capture and other ways to prevent a healthy market. Funded by customer spend. A purchase is against future value in the same way that past purchases are what allow companies today to make markets less healthy.

While I get what you're saying, I think it's exactly in that the expectations are different between a donation and a payment for product/service.

You pay for an existing product/service and expect that product/service to be fit for a need... that's generally it as far as expectations go... some may actually care about a company being a bad actor and boycott etc, but that's secondary in and of itself. You immediately get the product or service that exists.

A donation, is against expectations for results... though there may be other reasons to donate to a cause/charity.

No donations to Mozilla go to engineering or Firefox in any way.

When the product is in dire state but the company does unnecessary things and increase CEO salary YoY with ever declining userbase, yes... Maybe the people who donates want to know. Am talking about Firefox there BTW. So it's absolutely understandable that people want to know.

For that matter, Mozilla pretty much left Thunderbird to die off for over a decade... it was a group of committed contributors that kept it alive... Moz now wants to try to monetize the software in a way to support the larger org. Moz.org has been problematic and antithetical to just making great software and you can agree or disagree with their stated goals and where/how they spend their money, but most people would also agree that they're probably spending too much outside the core competency, which should be building great software.

Firefox should have a war chest worth of cash at hand, if it hadn't been spent on massive layers of managers and marketers. They've tried repeatedly to spin off monetization in order to increase the overall charity, and I can understand that desire... but they've done so to levels that absolutely compromise the core of what the org is known for... the software.

They effectively HAD electron decades before electron.. they left it unsupported and let it die... they HAD a great mail/nntp platform, they left it to die and only recently realized it was a thing and tried to resurrect it only as a potential for more monetization. They HAD an engineering staff that was reshaping the direction of low-level development (Rust and related) and they let them all go so they could keep paying middle-managers and marketeers for a charity that was never self-sufficient and only served to drain or monetize their core products to detrimental effect.

I would like Mozilla to have great products and succeed... but frankly, I don't like the parent org, charity structure or their direction at all. They're the worst examples of "woke HR" you can find online and I emphatically won't be giving them cash... I truly hope that at some point the developers can just spin off the open-source itself into a new org similar to Libre Office, and break away. If all they did was the software and their existing monetization, they'd have all of their developer staff and a long headroom of funding in the bank.

Let’s just say that Mozilla raised CEO salaries while laying off developers. The demand of transparency is well grounded on past behavior.

If I donate, I want more devs getting paid, not a CEO parasiting the non-profit.

One look at where donations to "keep Wikipedia free!" wind up should explain all of that for you.

I don't think it's that weird. If they sold it as a product then the understanding is that there is a profit motive and profits mean CEO's get paid.

If you're asking for donations and holding your cap out, the implication is that every penny will go toward development.

Mozilla should either just make it a product that you have to pay for, or sub to, or keep donations cleanly separated.

Investors do very much question how corporations use their money, and that is why corporations publish quarterly financial statements and have shareholder meetings and hire accountants and auditors. Investors want to make sure that they're going to get their investment back plus profit and thus care about a company's balance sheet. Any financial transparency in non-profit donations is derived from the financial transparency required by for-profit investments.

When making purchasing decisions lots of people look beyond the utility of the product to the broader behaviour of the corporation and how it impacts society. I know people who've been avoiding Nestlé for decades.

Because of the misuse of funds given to the Mozilla Foundation and Wikimedia Foundation.

When I pay money to buy food I don't need to ask how the shop is going to use that money: I gave money, I got food.

If I am going to donate money to a company/NGO that wants to buy food for poor people, of course I am interested in knowing how much of that money is going to salaries, how much into activities of sort, and how much in actually feeding people.

> Ironically, the demand for this increased transparency significantly increases compliance cost, which means more and more money is driven away from the actual cause toward the administrative costs.

I disagree.

If you are asking people for donations, then it is only fair that you provide transparency.

Donations are made out of pure goodwill. It is not like buying a widget from $megacorp.

I do not buy the "increased administrative costs" argument either. At a bare minimum all it would take is 5 minutes a month and a simple spreadsheet.

Well for one, when you purchase something from a corporation, you know where the money went because you got the thing or access to the service you just paid for. With a donation you don't have that and because you're donating you probably care about whatever subject you want to improve so you'd like to know that is were your money is going instead of finding out later it just went to the CEO of whatever to blow on blackjack and hookers.

In the case of Mozilla, you actually know donating to the Mozilla Foundation does not in any way benefit Firefox or Thunderbird, which is probably the whole reason you were actually donating in the first place. Donating to the Mozilla Foundation funds all the pointless side projects they they decide to pick up and pay the CEO quite frankly an undeservedly large salary.

Exactly what I've been saying when people complain about how public sector spends the taxes (especially when comparing against private sector so-called efficiency when managing hospitals or schools)

And yet you'd probably be upset if it turns out they wasted all the money.

Higher

Well that's a problem with the profit driven US health system (although admittedly other countries have similar problems to varying degrees) not prescriptions in general though? In particular the take home from this should be to make it more difficult to get the prescriptions not to do away with prescriptions.

I would argue that the Scandinavian countries are a much better example to use than Switzerland. In contrast to Switzerland Sweden leads the world in fibre access build out (while being geographically much larger). While I haven't seen 25 G internet 10G is relatively common and 1G is the default (at around 40-50 euro per month). The model has is quite similar to Switzerland though, open access fibre infrastructure with competition over providing the data, either using equipment of the main provider or using their own equipment.

I live in Sweden, and I don’t see a fiber plan available from Telia, the biggest provider, faster than 1Gb!? https://www.telia.se/bredband/fiber

And I have the 600M plan since it’s less than half the cost of 1G but still plenty fast for my needs. Where do you even find 10G??

I think Telia openfiber only does 1G but Bahnhof villafiber offers 10G, not sure about others.

> It's nice to wave away policing Hormuz, by simply asserting it can't be done. Is this accurate, however?

There have been plenty of analyses pretty much all concluding the same thing. How do you propose to do it? In normal times there were > 150 per day travelling through the gulf. Remember the coastline of Iran along the Gulf is about 2000km, all allowing them to launch strikes against ships (and they don't need to be sophisticated). So would you put a warship with every cargo ship? Occupy the whole coast? I don't see any feasible solution to police it.

> A big mistake here was simply underestimating the scale of Iran. Iran has 90,000,000 people. More than 2x Ukraine. More than 2x Germany.

Not necessarily disagreeing with your other points, but Germany has a population of ~84 million, so comparable size.