The first set of security flaws discovered by Google’s AI-powered bug hunter has just been released.
Google’s vice president of security, Heather Adkins, revealed on Monday that Big Sleep, an LLM-based vulnerability researcher, had discovered and reported 20 vulnerabilities in a variety of well-known open source programs.
According to Adkins, Big Sleep, which is created by the company’s AI division DeepMind and its top hacking team Project Zero, disclosed its initial vulnerabilities, primarily in open source programs like the image editing program ImageMagick and the audio and video library FFmpeg.
We don’t know the impact or severity of the vulnerabilities because they haven’t been repaired yet. This is because Google doesn’t want to share information just yet, which is usual procedure when waiting for flaws to be fixed. Even if a human was engaged in this example, the fact that Big Sleep discovered these vulnerabilities is noteworthy since it indicates that these technologies are beginning to produce tangible outcomes.
Google spokesperson Kimberly Samra said , “We have a human expert in the loop before reporting to ensure high quality and actionable reports, but each vulnerability was found and reproduced by the AI agent without human intervention.”
According to Royal Hansen, Google’s vice president of engineering, the results show “a new frontier in automated vulnerability discovery” on X.
Vulnerability detection technologies with LLM capabilities are already a reality. In addition to Big Sleep, there are other options like RunSybil and XBOW.
Following its ascent to the top of one of the U.S. leaderboards at bug bounty platform HackerOne, XBOW has made news. It’s crucial to remember that, as is the case with Big Sleep, these reports typically involve a human at some stage to confirm that the AI-powered bug hunter discovered a genuine vulnerability.
Big Sleep has “good design, people behind it know what they’re doing, Project Zero has the bug finding experience, and DeepMind has the firepower and tokens to throw at it,” according to Vlad Ionescu, co-founder and chief technology officer of RunSybil, a startup that creates AI-powered bug hunters, who spoke about the project’s legitimacy.
These tools clearly have a lot of potential, but they also have serious drawbacks. Many who oversee various software projects have expressed dissatisfaction about bug reports that are actually hallucinations; some have referred to these as the bug bounty equivalent of AI slop.
Ionescu previously said, “The issue people are having is that we’re getting a lot of stuff that looks like gold, but it’s actually just crap.”