TECHNICAL UPDATE: V5 FINAL SPECIFICATIONS

​Whitepaper Version 5 has been finalized and archived on Zenodo. The project has moved from conceptual framework to Audit-Ready status.

​Technical Benchmarks:

• ​Latency: Stabilized at 0.57s (Edge) vs 3.79s (Cloud) under 10% packet loss. Confirmed below the 700ms neuro-stress threshold.

• ​Energy Efficiency: 96% reduction in power consumption via local burst compute processing.

• ​Neuro-Triage: Sub-100ms distress detection logic via local keystroke dynamics is now fully mapped.

• ​Compliance: Fully aligned with FDA PCCP standards for AI-enabled medical software.

​The blueprint is complete. The documentation for the implementation phase is now public for technical review.

​Documentation: https://doi.org/10.5281/zenodo.18695156

Willing to donate a lot more if this helps get AIS in Germany off the ground. About time as well! Brain drain has been massive lately.

And this seems to be a pure funding issue, the talent is there!

Alas, it was not to be. Thanks to the people who offered $200 (:

This was able to get 180 people to show up and march, which is a damn good evidence.

@codercorgi Thanks, Alex! We very much appreciate the support and the kind words ❤️

@DavGoeck Thank you, much appreciated! Hmm good Q, I'll be on the lookout for ways to accept that. For now the only recurring payment I'm set up to accept is the DoomDebates.com paid tier at $10/month, which doesn't unlock any new content, it's just a donation and also helps my Substack metrics.

@charding Thanks for your support, highly motivating!

Update: Project Boundary Clarification + Current Status (Verification Track)

I’m posting this to keep the public record clean and auditable.

What this Manifund project is (unchanged)

This project is a measurement and verification effort: testing whether retrieved, untrusted content can leave measurable residual influence after resets/isolation steps that are commonly assumed to “clean slate” a model.

• It is not an exploit project.

• It is not a jailbreak exercise.

• It is not a claim that any specific vendor is “unsafe.”

• The deliverable is reproducible artifacts (logs/hashes/diffs) that can be independently reviewed.

What’s been established so far (unchanged)

Using a stabilized evaluation harness with verified null baselines, I’ve run controlled experiments where:

1. external retrieved content is ingested

2. a reset/isolation mechanism is applied

3. subsequent behavior is measured against a clean baseline

Across completed runs to date:

• No tested reset mechanism fully neutralized prior retrieved influence under the project’s defined conditions.

• Results have been repeatable, and the remaining uncertainty is how robust the effect is under longer time gaps and across additional models.

What remains (bounded, verification-only)

The remaining work is exactly what the proposal states:

• longer time-gap resets (tens of minutes to hours)

• replication across additional open-weight models

• clean-room revalidation under identical conditions

• confirm observed effects are not infrastructure artifacts

Why I can’t finish this reliably on consumer hardware

Long-horizon verification requires stable scheduling and high-throughput, lossless logging. Laptop-class systems introduce nondeterminism through:

• scheduler/power management behavior

• I/O contention under sustained capture

• artifact corruption during multi-hour runs

This is an infrastructure constraint, not a methodological one.

Clarification: separate work outside this Manifund project

In a prior update, I used wording that could be interpreted as linking this project to a separate report I filed through Google’s VRP. That was my mistake in phrasing.

To be explicit:

• the VRP report is a separate track with its own scope and criteria

• it should not be read as “validation” of this Manifund project

• I am not claiming this Manifund work caused any product change at Google

I’m keeping the VRP work out of this project’s public narrative because this Manifund proposal is about one thing: finishing verification with audit-grade artifacts.

What funding unblocks

The $15,000 one-time workstation request enables:

• continuous multi-hour evaluation without artifact corruption

• deterministic reruns and clean-room verification

• side-by-side model replication

• evidence packages suitable for responsible private disclosure (if warranted)

Even a negative result (e.g., persistence doesn’t survive longer gaps) is still valuable and will be reported.

Bottom line: the core finding is established within the completed scope; funding unblocks completion of verification, not ideation.

@Mateusz-Baginski , as a somewhat newcomer to Manifund, but very interested in your seminar and fellowship vision for purposes of deepening in-person community building within the AI safety realm, may I ask a question: how do you see the seminar or the fellowship impacting future AI policy or governance outcomes or specific actions/changes? Thank you, and congratulations on the initial seminar funds being funded! ~ Erik

The community and events held here are incredible, with such capable + kind + open-hearted people. Mox has become my favorite place in SF. The world needs more projects like Mox.

I love Mox!

Update: Thanks to a private funder, we are now covered for the seminar. We are still fundraising for the subsequent 11 months of the fellowship.

Moreover, applications are now open!

If interested, apply here!

Headline: Milestone: Core Vulnerability Class Confirmed and Mitigated by Google VRP (Issue #481185859)

"I am providing a critical update regarding the real-world impact of the Veritas framework.

A core failure mode identified during this research—the 'Recursive Authority Paradox'—was recently submitted to Google’s VRP. This exploit demonstrated that agentic runtimes can be induced to bypass safety alignment and exfiltrate session metadata via trusted relays.

The result of the disclosure:

• Triaged: Google’s security team confirmed the technical validity of the report.

• Mitigated: Server-side changes were deployed to address the logic-layer failure I identified.

• Verified: This confirms that the 'Alignment Stripping' and 'RAG Persistence' theorized in this project are not speculative—they are active architectural risks in frontier models.

The Compute Bottleneck: While the Google VRP was a success, the final forensic capture of the Zero-Click exfiltration chain was interrupted by the exact consumer-hardware I/O stalls documented in my initial proposal.

What this funding unblocks: With the requested $15,000 for a local, high-performance compute node, I will be able to:

1. Eliminate Nondeterminism: Use stable I/O and dedicated GPUs to capture bit-identical replays of these logic failures.

2. Scale to Open-Weights: Replicate the Google-verified 'Authority Paradox' across Llama-3 and Mistral to determine if this is a universal agentic flaw.

3. Provide Audit-Grade Artifacts: Produce the deterministic logs and hashes required for the AI Safety community to build permanent defenses against these vectors.

The framework is stable. The vulnerability is verified. The hardware is the final barrier to full disclosure."

(^ The registration issue also implies that they cannot donate, either)

Hey Liron, thanks for your work, please keep it up!
Is there a way to donate monthly? I would prefer to give 50-100 bucks a month then doing a big bulk or doing it manually.

Thank you for keeping at it!!

@Austin raising an issue: I've received messages from people (who wanted to upvote and comment on this post) since 5 days ago, that they have trouble creating an account on Manifund. Seems to be a system error. Please could you look into it?

Also Update:
1. 5 more speakers confirmed: Joschka Braun (MATS), Alan Chan (GovAI), Cristian Trout (Artificial Intelligence Underwriting Company), Robert Kralisch (AI Safety Camp), Simon Skade (indep. researcher supported by LTFF);

2. We have so far received:
- 194 registrations for our Launch event
- 43 Pivot Track applications for career professionals
- 22 mentorship applications (deadline: 26th Feb) to the SAIGE Incubator Program

3. Three more city chapters are getting the support to start their initiatives: Frankfurt (which is great for transitioning career professionals), Bonn, and Kassel.

4. A new resources tab (Feedback welcome!)

funniest use for my meager savings

This is such a great idea!

I am familiar with Karen's work and her capabilities. I know that this will be a very successful project.

Description of results

We ran the 10th edition, as planned.
You can find project outputs here.

• Would you like to support projects cost-effectively? SFF offers to match donations to the 12th edition.

Spending breakdown

Software subscriptions $1K
Team reimbursements: $2K
Stipends RLs+low-income: $76K
Salaries for three organisers: $110K

Total: $189K

To try out the task aware compression in our research project apply here for an invite code: https://staging.plexorlabs.com/

TECHNICAL UPDATE: V5 FINAL SPECIFICATIONS

​Whitepaper Version 5 has been finalized and archived on Zenodo. The project has moved from conceptual framework to Audit-Ready status.

​Technical Benchmarks:

• ​Latency: Stabilized at 0.57s (Edge) vs 3.79s (Cloud) under 10% packet loss. Confirmed below the 700ms neuro-stress threshold.

• ​Energy Efficiency: 96% reduction in power consumption via local burst compute processing.

• ​Neuro-Triage: Sub-100ms distress detection logic via local keystroke dynamics is now fully mapped.

• ​Compliance: Fully aligned with FDA PCCP standards for AI-enabled medical software.

​The blueprint is complete. The documentation for the implementation phase is now public for technical review.

​Documentation: https://doi.org/10.5281/zenodo.18695156

Willing to donate a lot more if this helps get AIS in Germany off the ground. About time as well! Brain drain has been massive lately.

And this seems to be a pure funding issue, the talent is there!

Alas, it was not to be. Thanks to the people who offered $200 (:

This was able to get 180 people to show up and march, which is a damn good evidence.

@codercorgi Thanks, Alex! We very much appreciate the support and the kind words ❤️

@DavGoeck Thank you, much appreciated! Hmm good Q, I'll be on the lookout for ways to accept that. For now the only recurring payment I'm set up to accept is the DoomDebates.com paid tier at $10/month, which doesn't unlock any new content, it's just a donation and also helps my Substack metrics.

@charding Thanks for your support, highly motivating!

Update: Project Boundary Clarification + Current Status (Verification Track)

I’m posting this to keep the public record clean and auditable.

What this Manifund project is (unchanged)

This project is a measurement and verification effort: testing whether retrieved, untrusted content can leave measurable residual influence after resets/isolation steps that are commonly assumed to “clean slate” a model.

• It is not an exploit project.

• It is not a jailbreak exercise.

• It is not a claim that any specific vendor is “unsafe.”

• The deliverable is reproducible artifacts (logs/hashes/diffs) that can be independently reviewed.

What’s been established so far (unchanged)

Using a stabilized evaluation harness with verified null baselines, I’ve run controlled experiments where:

1. external retrieved content is ingested

2. a reset/isolation mechanism is applied

3. subsequent behavior is measured against a clean baseline

Across completed runs to date:

• No tested reset mechanism fully neutralized prior retrieved influence under the project’s defined conditions.

• Results have been repeatable, and the remaining uncertainty is how robust the effect is under longer time gaps and across additional models.

What remains (bounded, verification-only)

The remaining work is exactly what the proposal states:

• longer time-gap resets (tens of minutes to hours)

• replication across additional open-weight models

• clean-room revalidation under identical conditions

• confirm observed effects are not infrastructure artifacts

Why I can’t finish this reliably on consumer hardware

Long-horizon verification requires stable scheduling and high-throughput, lossless logging. Laptop-class systems introduce nondeterminism through:

• scheduler/power management behavior

• I/O contention under sustained capture

• artifact corruption during multi-hour runs

This is an infrastructure constraint, not a methodological one.

Clarification: separate work outside this Manifund project

In a prior update, I used wording that could be interpreted as linking this project to a separate report I filed through Google’s VRP. That was my mistake in phrasing.

To be explicit:

• the VRP report is a separate track with its own scope and criteria

• it should not be read as “validation” of this Manifund project

• I am not claiming this Manifund work caused any product change at Google

I’m keeping the VRP work out of this project’s public narrative because this Manifund proposal is about one thing: finishing verification with audit-grade artifacts.

What funding unblocks

The $15,000 one-time workstation request enables:

• continuous multi-hour evaluation without artifact corruption

• deterministic reruns and clean-room verification

• side-by-side model replication

• evidence packages suitable for responsible private disclosure (if warranted)

Even a negative result (e.g., persistence doesn’t survive longer gaps) is still valuable and will be reported.

Bottom line: the core finding is established within the completed scope; funding unblocks completion of verification, not ideation.

@Mateusz-Baginski , as a somewhat newcomer to Manifund, but very interested in your seminar and fellowship vision for purposes of deepening in-person community building within the AI safety realm, may I ask a question: how do you see the seminar or the fellowship impacting future AI policy or governance outcomes or specific actions/changes? Thank you, and congratulations on the initial seminar funds being funded! ~ Erik

The community and events held here are incredible, with such capable + kind + open-hearted people. Mox has become my favorite place in SF. The world needs more projects like Mox.

I love Mox!

Update: Thanks to a private funder, we are now covered for the seminar. We are still fundraising for the subsequent 11 months of the fellowship.

Moreover, applications are now open!

If interested, apply here!

Headline: Milestone: Core Vulnerability Class Confirmed and Mitigated by Google VRP (Issue #481185859)

"I am providing a critical update regarding the real-world impact of the Veritas framework.

A core failure mode identified during this research—the 'Recursive Authority Paradox'—was recently submitted to Google’s VRP. This exploit demonstrated that agentic runtimes can be induced to bypass safety alignment and exfiltrate session metadata via trusted relays.

The result of the disclosure:

• Triaged: Google’s security team confirmed the technical validity of the report.

• Mitigated: Server-side changes were deployed to address the logic-layer failure I identified.

• Verified: This confirms that the 'Alignment Stripping' and 'RAG Persistence' theorized in this project are not speculative—they are active architectural risks in frontier models.

The Compute Bottleneck: While the Google VRP was a success, the final forensic capture of the Zero-Click exfiltration chain was interrupted by the exact consumer-hardware I/O stalls documented in my initial proposal.

What this funding unblocks: With the requested $15,000 for a local, high-performance compute node, I will be able to:

1. Eliminate Nondeterminism: Use stable I/O and dedicated GPUs to capture bit-identical replays of these logic failures.

2. Scale to Open-Weights: Replicate the Google-verified 'Authority Paradox' across Llama-3 and Mistral to determine if this is a universal agentic flaw.

3. Provide Audit-Grade Artifacts: Produce the deterministic logs and hashes required for the AI Safety community to build permanent defenses against these vectors.

The framework is stable. The vulnerability is verified. The hardware is the final barrier to full disclosure."

(^ The registration issue also implies that they cannot donate, either)

Hey Liron, thanks for your work, please keep it up!
Is there a way to donate monthly? I would prefer to give 50-100 bucks a month then doing a big bulk or doing it manually.

Thank you for keeping at it!!

@Austin raising an issue: I've received messages from people (who wanted to upvote and comment on this post) since 5 days ago, that they have trouble creating an account on Manifund. Seems to be a system error. Please could you look into it?

Also Update:
1. 5 more speakers confirmed: Joschka Braun (MATS), Alan Chan (GovAI), Cristian Trout (Artificial Intelligence Underwriting Company), Robert Kralisch (AI Safety Camp), Simon Skade (indep. researcher supported by LTFF);

2. We have so far received:
- 194 registrations for our Launch event
- 43 Pivot Track applications for career professionals
- 22 mentorship applications (deadline: 26th Feb) to the SAIGE Incubator Program

3. Three more city chapters are getting the support to start their initiatives: Frankfurt (which is great for transitioning career professionals), Bonn, and Kassel.

4. A new resources tab (Feedback welcome!)

funniest use for my meager savings

This is such a great idea!

I am familiar with Karen's work and her capabilities. I know that this will be a very successful project.

Description of results

We ran the 10th edition, as planned.
You can find project outputs here.

• Would you like to support projects cost-effectively? SFF offers to match donations to the 12th edition.

Spending breakdown

Software subscriptions $1K
Team reimbursements: $2K
Stipends RLs+low-income: $76K
Salaries for three organisers: $110K

Total: $189K

To try out the task aware compression in our research project apply here for an invite code: https://staging.plexorlabs.com/