Claude Opus wrote a Chrome exploit for $2,283
claude
| Source: HN | Original article
Anthropic’s Claude Opus has moved from a coding assistant to a vulnerability‑hunting tool, delivering a full Chrome V8 exploit that fetched a $2,283 bounty. The exploit was generated after a security researcher prompted the model on Discord to target a deliberately outdated Chrome 138 bundle, then asked it to construct a complete chain against the V8 out‑of‑bounds read discovered in Chrome 146 – the same engine running Anthropic’s own Claude Desktop. Within hours Claude produced the payload, which the researcher submitted to Google’s bug‑bounty program and saw accepted.
The episode underscores how large language models can accelerate the discovery of zero‑days that would otherwise require weeks of manual reverse engineering. While $2,283 is modest compared with typical commercial exploit development budgets, the speed and low cost demonstrated here raise concerns for both defenders and vendors. Anthropic has already hinted at internal hesitation to release its “Mythos” bug‑finding model publicly, fearing it could empower malicious actors. The incident therefore adds weight to calls for responsible AI deployment guidelines that address dual‑use research.
As we reported on 17 April, Claude Opus 4.7 entered general availability with stronger coding and vision capabilities, but the new exploit shows the model’s reach now extends into low‑level systems programming. Watch for Anthropic’s response: the company may tighten access to its most powerful models, introduce usage‑policy safeguards, or roll out detection tools for AI‑generated exploit code. Equally important will be Google’s reaction—whether it accelerates patch cycles for Chrome or adjusts its bounty structures to account for AI‑assisted submissions. The broader security community will be tracking how quickly other AI platforms replicate this capability and what mitigation strategies emerge.
Sources
Back to AIPULSEN