Google says its AI-based bug hunter found 20 security vulnerabilities

Google’s AI-driven bugjager has just reported its first party security vulnerabilities.

Heather Adkins, the Vice President of Google, Security, announced Monday that the LLM-based vulnerability researcher found Big Sleep and reported 20 errors in various popular open source software.

Adkins said that Big Sleep, which was developed by the AI Department DeepMind of the company and the Elite Team of Hackers Project Zero, reported his very first vulnerabilitiesUsually in open source software such as audio and video library FFMPEG and Imagemagick with image editing.

Since the vulnerabilities have not yet been resolved, we have no details about their impact or seriousness, such as Google does not want to provide details yetWhat a standard policy is when waiting for bugs to be resolved. But the simple fact that great sleep found these vulnerabilities is important because it shows that these tools are starting to get real results, even if there was a person involved in this case.

“To ensure high quality and usable reports, we have a human expert in the loop before we report, but every vulnerability was found and reproduced by the AI agent without human intervention,” the Google Kimberly Samra spokesperson told WAN.

Royal Hansen, Vice President of Google, Engineering, wrote on x That the findings show “a new limit in automated vulnerability discovery.”

LLM-driven tools that can search for and think that vulnerabilities are already a reality. Unlike big sleep, there is Runsybil And XBOW, among other things.

XBOW has achieved the headlines It reached the top From one of the American leaderboards on Bug Bounty Platform Hackerone. It is important to note that in most cases these reports have a person at a certain moment of the process to check whether the AI-driven bugjager has found a legitimate vulnerability, as is the case with big sleep.

Vlad Ionescu, co-founder and Chief Technology Officer at Runsybil, a startup that develops AI-driven Bugjagers, TechCrunch said that big sleep is a “legitimate” project, since it “has good design, people behind it know what they are doing, project Zero has the bugservaring and DeepMind has the ferve service” “” “” “

There is clearly a lot of promise with these tools, but also important disadvantages. Various people who maintain different software projects have complained about bug reports that are actually hallucinations, where some they call the Bug -Bounty equivalent of AI Slop.

“That is the problem that people come across is that we get a lot of things that look like gold, but it is actually just nonsense,” Ionescu told WAN earlier.