Cloudflare分享了其Project Glasswing项目的最新进展,介绍了一种基于多模型协作的企业级漏洞发现与验证系统 [1]。该系统通过解耦底层大模型架构,利用独立的发现引擎(VDH)和验证系统(VVS),并采用不同模型进行交叉验证以消除偏见,实现了对跨仓库依赖的自动化安全审计 [1]。
在针对128个代码库的运行测试中,该累计生成了20,799个原始候选漏洞,经过去重和验证后最终保留了7,245个可行动发现 [1]。系统性能方面,初始验证拒绝率从40%降至11%,高完整性发现比例则从35%提升至58% [1]。此外,项目引入了"Wishlist"机制以允许代理自主请求外部资源(如FreeBSD VM),该功能在测试中被调用了25,472次 [1]。
目前,Cloudflare已发布初始安全审计技能代码供公众使用,访问地址为github.com/cloudflare/security-audit-skill [1]。
Cloudflare has shared the latest progress on its Project Glasswing initiative, introducing an enterprise-grade system for vulnerability discovery and validation based on multi-model collaboration [1]. The architecture decouples underlying large models to utilize independent engines for cross-validation that eliminates bias. Specifically, the system is divided into a Vulnerability Discovery Harness (VDH) and a Vulnerability Validation System (VVS), which employ different models to verify findings against one another [1].
The system was tested across 128 code repositories, generating a cumulative total of 20,799 original candidate vulnerabilities. After deduplication and validation processes were applied, the project retained 7,245 actionable discoveries [1]. Performance metrics showed significant improvements in efficiency: the initial verification rejection rate dropped from 40% to 11%, while the proportion of high-integrity findings rose from 35% to 58% [1].
To enhance autonomy, a "Wishlist" mechanism was introduced allowing agents to independently request external resources such as FreeBSD virtual machines. This specific function was invoked 25,472 times during operation [1]. Cloudflare has released the initial code for its security audit skills on GitHub at github.com/cloudflare/security-audit-skill [1].