binarymax
4 hours ago
> MSRC bounty team determined that M365 Copilot was out-of-scope for bounty and therefore not eligible for a reward.
What a shame. There’s probably LOTS of vulns in copilot. This just discourages researchers and responsible disclosure, likely leaving copilot very insecure in the long run.
candiddevmike
4 hours ago
It's irresponsible for any company to be using copilot with MS having this bug bounty attitude, IMO. Would be curious what other products are out of bounds so I know not to use them...
driverdan
2 hours ago
This is MS telling anyone who finds an M365 Copilot exploit to sell it instead of reporting it. Incredibly short sighted and foolish.
p_ing
4 hours ago
QQ for the LLM folks -- is this possibly due to the lack of determinization of LLM output?
If I code a var blah = 5*5; I know the answer is always 35. But if I ask an LLM, it seems like the answer could be anything from correct to any incorrect number one could dream up.
We saw this at work with the seahorse emoji question. A variety of [slight] different answers.
nawgz
4 hours ago
> If I code a var blah = 5*5; I know the answer is always 35
I greatly enjoy the irony here.
anonymars
3 hours ago
It's okay, we've replaced the Turing test with the em dash test
DrewADesign
3 hours ago
The em dash thing seems weird to me. The writing style guide for the college I attended as a freshman was big on them, and I never shook the habit. Not being able to easily conjure one was one of the biggest annoyances when I was forced to switch from macOS to windows.
airstrike
2 hours ago
> Not being able to easily conjure one was one of the biggest annoyances when I was forced to switch from macOS to windows.
I always install AutoHotkey if I have to use Windows for long periods of time. Interestingly, the bindings are so intuitive that I had actually come up with the _exact same_ bindings as macOS without knowing they existed. Imagine my surprise when I switched to a mac and found out they were there natively!
dpark
3 hours ago
I find the em dash thing weird as well. I bunch of people who didn’t know what an em dash was a couple of years ago decided that it’s a signature LLM move.
Nition
13 minutes ago
Very few humans go to the effort of using a true em dash in Internet comments (almost everyone just uses a hyphen), so it's a pretty good LLM indicator when paired with a certain writing style.
nawgz
2 hours ago
It just contrasts expectations of the unwashed masses with more professional writing.
If most people are used to reading social media and texts from their friends and maybe subtitles for movies, an em dash is practically never going to appear, and so when everyone and their dog start using them, well, it’s obvious something is up.
Whereas the more literate individual used to consuming writing for pleasure will have seen them regularly, and may even have employed them while writing.
BolexNOLA
2 hours ago
I use them all the time. I get endless crap now for it lol
tatersolid
2 hours ago
One of my first jobs was as the programmer/IT/graphics guy at a newspaper. Everybody there was required to use em-dashes properly and regularly, and followed other esoteric rules from the Associated Press Stylebook that also regularly appear in LLM output.
This highlights just how much unlicensed copyrighted material is in LLM training sets (whether you consider that fair use or not).
akoboldfrying
an hour ago
Inflation
CaptainOfCoit
4 hours ago
> There’s probably LOTS of vulns in copilot
Probably exactly why they "determined" it to be out of scope :)
ruguo
2 hours ago
I honestly can’t even remember the last time I used Copilot.