Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Merge summary file into the Vulnerabilities files #225

Open
Bobsimonoff opened this issue Oct 21, 2023 · 5 comments
Open

Merge summary file into the Vulnerabilities files #225

Bobsimonoff opened this issue Oct 21, 2023 · 5 comments
Assignees
@rossja
Labels
enhancement Changes/additions to the Top 10; eg. clarifications, examples, links to external resources, etc

Comments

@Bobsimonoff
Copy link
Contributor

Currently the summary of each risk is in a single file that is separate from the actual risk details. This causes a disconnect when the risk is updated. Above description in the template for each risk I would like to see the summary section. Then at production time all the summary sections can be grabbed and put into a single file for PDF generation.
@Bobsimonoff Bobsimonoff added the enhancement Changes/additions to the Top 10; eg. clarifications, examples, links to external resources, etc label Oct 21, 2023
@GangGreenTemperTatum
Copy link
Collaborator

Hey @Bobsimonoff can you highlight the specific area you are referring to please, or a screenshot? TYIA

@Bobsimonoff
Copy link
Contributor Author

image

These summaries only exist together in a single file. The individual risk documents do not contain the summaries.

@GangGreenTemperTatum
Copy link
Collaborator

Understood, thanks. Adding @rossja but IMO the idea is to keep the vulnerabilities concise and duplicating data or adding too much additional context can cause confusion, lack of focus and ultimately not deliver our intention.

@Bobsimonoff
Copy link
Contributor Author

Here is my thinking when you say, "the idea is to keep the vulnerabilities concise and duplicating data or adding too much additional context can cause confusion" -- I agree. adding a 1 sentence summary is not additional context and the risks should be concise. However, when we have risks that look like this:
image

or this

image

I think an additional sentence at the top that says summary like the following greatly helps the reader:

Summary

Manipulating LLMs via crafted inputs can lead to unauthorized access, data breaches, and compromised decision-making.

Summary

Tampered training data can impair LLM models leading to responses that may compromise security, accuracy, or ethical behavior.

We do you have some very short risk descriptions and some long ones. Here are the word counts for the description sections of each LLM risk:

  • LLM08: Excessive Agency - 155 words
  • LLM02: Insecure Output Handling - 177 words
  • LLM07: Insecure Plugin Design - 169 words
  • LLM04: Model Denial of Service - 153 words
  • LLM10: Model Theft - 174 words
  • LLM09: Overreliance - 165 words
  • LLM01: Prompt Injection - 312 words
  • LLM06: Sensitive Information Disclosure - 241 words
  • LLM05: Supply-Chain Vulnerabilities - 114 words
  • LLM03: Training Data Poisoning - 338 words

The longest summary we have is 20 words.

Up to everyone else, it is just a thought to make things easier for maintenance and the reader.

@rossja
Copy link
Collaborator

rossja commented Oct 25, 2023

i agree that putting the summary into the entries is likely a good idea, i already had that on my own list of questions to raise for v2, so this issue is perfect timing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rossja rossja

Labels
enhancement Changes/additions to the Top 10; eg. clarifications, examples, links to external resources, etc
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rossja @GangGreenTemperTatum @Bobsimonoff