Google's AI bug hunter reports 20 new security flaws

Google's new AI-powered bug hunter, Big Sleep, has successfully found and reported its first 20 security flaws. The tool, developed by Google's DeepMind and Project Zero teams, identified vulnerabilities in popular open-source software like FFmpeg and ImageMagick.

While a human expert was involved in the final verification process, Google confirmed that Big Sleep, an LLM-based vulnerability researcher, autonomously found and reproduced each flaw. This breakthrough, hailed by Google's VP of Engineering, Royal Hansen, as "a new frontier in automated vulnerability discovery," marks a significant step for AI in cybersecurity.

Google's Heather Adkins, VP of security, announced the findings, but details on the impact and severity of the vulnerabilities remain undisclosed as a standard practice while waiting for the bugs to be fixed.

The Rise of AI Bug Hunters

Big Sleep isn't the only AI tool in the game. Others, such as RunSybil and XBOW, are also making waves. XBOW, for instance, recently topped a U.S. leaderboard on the bug bounty platform HackerOne.

Despite the promise of these tools, there are challenges. Some software maintainers have voiced concerns about a rise in "AI slop"—bug reports that are actually hallucinations and not legitimate vulnerabilities. However, experts like Vlad Ionescu, co-founder of RunSybil, consider Big Sleep a "legit" project with the right expertise and resources behind it.

The AI checkmate: Google's licensing push tests the limits of tech–publisher power dynamics