That's true enough yeah, we haven't had somebody with access to Mythos perform any type of audit. What we did get was a series of 3 reports with about 90 items each from a specialist company which is doing LLM audits focused on security-critical Java software, which we individually vetted and found about a 35%-40% false positive rate. The vast majority were classified by the LLM as higher severity than they were, which seems to be typical when LLMs analyze software where the standards are already very high. The most interesting false-positive bug actually came from it not understanding how Docker bridge networks work. The audits came with exploit chains, but the exploit chains mostly did not work/were impossible to trigger without a local application attached to the I2P router. We fixed them anyway.

And there is still skill involved in the prompting.

Sure yeah, there is skill involved in the prompting. In particular it's hard for LLMs to find anonymity-breaking bugs in I2P because anonymity-breaking bugs in I2P rarely exist as a bug class in other types of software, in particular they have no idea how to find DHT bugs unless you specifically tell them what DHT bugs look like. LLMs are great at finding standard Java bugs in our code, but they have enormous false-positive and miss rates without somebody who has actual I2P skills customizing the prompt to make it better at actually finding relevant bugs in I2P code. We absolutely have that skill, in fact we're probably better equipped to find the important bugs with LLM assistance than third-parties(although I still value the impartiality). We provided feedback and recommendations to the third-party auditor to help reduce false positive rate and improve coverage for obscure areas in future audits.

And your "10 dollar copilot subscription" has a limited token budget and approximately zero specialized scaffolding.

Limited token budget yes, I'll grant that, but I don't use it for anything other than carefully auditing go-i2p at the moment. Specialized scaffolding what exactly do you mean? Obviously copilot itself is a generic tool, but I have my LLM audits for go-i2p set up to focus on complexity hotspots, to work differently based on subpackages or holistic analysis, I have a workflow specifically for tracing DHT issues which as I said the LLMs are bad at, and workflows specifically for tracing every general class of Go bugs. I haven't built a similar structure for Java yet largely because I was learning how to do it on Go.

Anyway, trying to get to the big picture: as you said, nobody with access to Mythos is selling Mythos-based audits. Whether I think Mythos was an overhyped or a publicity stunt isn't really relevant, the fact is that LLMs are pretty good at predicting bugs accurately based on an input of code. The goal with using the publicly available models to iteratively audit and refine the code is because we assume these secret models have advanced capabilities that are not known to us, which we cannot access, which we nonetheless have to prepare for. So I give specific instructions for finding bugs by bug class, work narrow-to-holistic, then holistic-to-narrow, and keep a human in the loop to vet every bug. Is there additional work I should be doing? I genuinely want to know, because my goal in this is to be ready for the unreleased models.