Comment by leo_e
3 days ago
The most concerning part isn't the vulnerability itself, but Google classifying it as a "Known Issue" ineligible for rewards. It implies this is an architectural choice, not a bug.
They are effectively admitting that you can't have an "agentic" IDE that is both useful and safe. They prioritized the feature set (reading files + internet access) over the sandbox. We are basically repeating the "ActiveX" mistakes of the 90s, but this time with LLMs driving the execution.
That's a misinterpretation of what they mean by "known issue". Here's the full context from https://bughunters.google.com/learn/invalid-reports/google-p...
> For full transparency and to keep external security researchers hunting bugs in Google products informed, this article outlines some vulnerabilities in the new Antigravity product that we are currently aware of and are working to fix.
Note the "are working to fix". It's classified as a "known issue" because you can't earn any bug bounty money for reporting it to them.