Google says its AI-based bug hunter found 20 security vulnerabilities

Google has made headlines this week with its AI-driven bug detection tool, which has successfully identified its first set of security vulnerabilities. Heather Adkins, the company’s vice president of security, revealed that the large language model (LLM) known as Big Sleep has reported 20 security flaws in widely used open-source software. Developed by Google’s AI division, DeepMind, in collaboration with the renowned Project Zero hacking team, Big Sleep’s findings primarily flagged issues in popular software like the audio and video library FFmpeg and the image-editing application ImageMagick. Although the vulnerabilities remain unaddressed, details regarding their potential impact and severity are being withheld until fixes are implemented, consistent with Google's standard protocol. The significance of Big Sleep's discoveries cannot be overstated. It marks a pivotal moment in the evolution of automated tools that can effectively identify security weaknesses, even though human oversight is involved in the reporting process. Kimberly Samra, a Google spokesperson, emphasized that while AI was crucial in detecting the vulnerabilities, human experts validate the reports to ensure quality and accuracy. Royal Hansen, Google’s engineering VP, took to social media to express that these findings signify "a new frontier in automated vulnerability discovery." The emergence of LLM-based tools capable of uncovering vulnerabilities is no longer a theoretical concept; other AI agents like RunSybil and XBOW are also making strides in this field. Notably, XBOW has achieved recognition on the HackerOne platform for its impressive bug discovery capabilities. While the potential of these AI systems is substantial, challenges remain. Developers of various software projects have voiced concerns regarding reports generated by these tools, which sometimes prove to be false positives. Vlad Ionescu, CTO of RunSybil, noted that while Big Sleep is a credible project due to the expertise behind it, the industry faces a recurring issue of AI-generated reports that may appear valid but are fundamentally flawed. "We’re encountering numerous cases where what seems like a valuable find turns out to be misleading," Ionescu explained, highlighting the need for ongoing refinement in this emerging technology.