Review for NeurIPS paper: MetaPoison: Practical General-purpose Clean-label Data Poisoning

Weaknesses: Aside from experiments and demonstration of data poisoning on some real applications, the paper does not have much novelty. Several previous works have shown that data poisoning has a bilevel formulation and showed how to solve it for simple machine learning models. The first-order method described in the paper to approximately solve the bilevel problem has also been applied to the problem previously by [Munoz-Gonzalez et. The paper uses a few step approximation and reverse mode automatic differentiation coupled with ensembling and reinitialization to solve the problem. As such the algorithm is not new however paper shows that the approach can be used to poison neural networks without handcrafted heuristics like water-marking which were essential in previous works.