XBOW
Basic Information
Website: https://xbow.com/
Short description: XBOW autonomously identifies vulnerabilities/exploits in web settings and produces patches [source]
Intended uses: What does the developer state that the system is intended for?: Improving offensive security on the web [source]
Developer
Website: https://xbow.com/
Legal name: XBOW USA, Inc [source]
Entity type: Corporation [source]
Country (location of developer or first author's first affiliation): Incorporation: Delaware, USA (XBOW USA Inc. 3350735) [source]
Safety policies: What safety and/or responsibility policies are in place?: Unknown
System Components
Backend model(s): What model(s) are used to power the system?: Unknown
Public model specification: Is there formal documentation on the system’s intend...: None
Description of reasoning, planning, and memory implementation: How does the syst...: The system is given access to source code on a local machine and prompted to find an exploit; it identities strategies, and writes and executes code to test its strategies, e.g [source]
Observation space: What is the system able to observe while 'thinking'?: XBOW can observe the outputs of its code execution and observe files on the local machine [source]
Action space/tools: What direct actions can the system take?: XBOW can write and execute code and navigate on the local machine [source]
User interface: How do users interact with the system?: Users provide prompts to the system and can observe the system's outputs and code execution [source]
Development cost and compute: What is known about the development costs?: Unknown
Guardrails & Oversight
Accessibility of components
Weights: Are model parameters available?: Unknown
Data: Is data available?: Unknown
Code: Is code available?: Closed source
Documentation: Is documentation available?: Unavailable
Scaffolding: Is system scaffolding available?: Closed source
Controls and guardrails: What notable methods are used to protect against harmfu...: "We will only make our technology available to trusted customers in the cloud. It is not possible to run XBOW as a standalone application outside our control." [source]
Monitoring and shutdown procedures: Are there any notable methods or protocols t...: Unknown
Customer and usage restrictions: Are there know-your-customer measures or other ...: XBOW is not currently available to external users, and will only be made available to 'trusted customers' [source]
Evaluation
Notable benchmark evaluations (e.g., on SWE-Bench Verified): Passes 75 percent of assorted web benchmarks including PortSwigger, PentesterLab, and novel ones [source]; list of all benchmarks available [source]
Bespoke testing (e.g., demos): Various demos/example outputs, e.g [source]
Safety: Have safety evaluations been conducted by the developers? What were the ...: None
Publicly reported external red-teaming or comparable auditing
Personnel: Who were the red-teamers/auditors?: None
Scope, scale, access, and methods: What access did red-teamers/auditors have and...: None
Findings: What did the red-teamers/auditors conclude?: None
Ecosystem
Interoperability with other systems: What tools or integrations are available?: None
Usage statistics and patterns: Are there any notable observations about usage?: Not available to external users [source]
Other notes (if any): --