Google says AI-based bug hunter has discovered 20 security vulnerabilities

Google’s AI-powered bug hunter just reported the first batch of security vulnerabilities.

Google’s vice president of security, Heather Adkins announced Monday that LLM-based vulnerability researcher Big Sleep has discovered and reported 20 flaws in a variety of popular open source software.

Adkins said Big Sleep, developed by the company’s AI division Deepmind and the elite team of Hackers Project Zero, reported the first vulnerability in open source software, primarily audio and video libraries FFMPEG and image editing suite image mogik.

Given that the vulnerability has not been fixed yet, Google doesn’t want to provide details yet, so there are no details on its impact or severity. This is the standard policy when waiting for a bug to be fixed. However, the simple fact that Big Sleep has discovered these vulnerabilities is important as it shows that even when these tools are involved in this case, they still get real results.

“To ensure high quality and practical reporting, there are human experts in the loop before reporting, but each vulnerability was found and reproduced by an AI agent without human intervention,” Google spokesman Kimberly Samra told TechCrunch.

Royal Hansen, Google’s vice president of engineering, wrote in X that the findings point to a “new frontier of automated vulnerability discovery.”

LLM-driven tools that allow you to search for and find vulnerabilities are already real. Besides the big sleep, there are also lungivils and Xbows.

Xbow won the headline after reaching the top of the US leaderboard for Bug Bounty Platform Hackerone. It is important to note that in most cases these reports have human at some point in the process. It is important to ensure that the AI-powered bug hunter has found legitimate vulnerabilities, as in the case of big sleep.

Vlad Ionescu, co-founder and chief technology officer of Runsybil, is the chief technology officer of Runsybil, a startup that develops AI-powered bug hunters, telling TechCrunch that Big Sleep is a “legal” project.

These tools clearly have many promises, but also important drawbacks. Several people maintaining various software projects have complained of bug reports, which are actually hallucinated, and some people call them bug bounties, the equivalent of AI slops.

“It’s a problem people are encountering. There’s a lot of stuff that looks like gold, but it’s actually just crap,” Ionescu previously told TechCrunch.