Google’s AI-powered vulnerability researcher, Big Sleep, has identified 20 security flaws in popular open-source software, marking the first batch of vulnerabilities discovered by the LLM-based tool developed by Google’s AI department DeepMind and Project Zero.
According to Heather Adkins, Google’s vice president of security, Big Sleep’s initial findings were primarily in open-source software, including the audio and video library FFmpeg and the image-editing suite ImageMagick. While specific details regarding the impact and severity of these vulnerabilities are currently withheld, pending their fixes, Google emphasizes the significance of these findings as an indication of AI tools’ growing capability in real-world vulnerability discovery.
Kimberly Samra, a Google spokesperson, clarified the process, stating, “To ensure high quality and actionable reports, we have a human expert in the loop before reporting, but each vulnerability was found and reproduced by the AI agent without human intervention.” This highlights a human verification step to ensure the legitimacy of AI-identified flaws.
Royal Hansen, Google’s vice president of engineering, characterized Big Sleep’s achievements on X as demonstrating “a new frontier in automated vulnerability discovery.” The emergence of LLM-powered tools for vulnerability detection is a growing trend, with other notable examples including RunSybil and Xbow.
Xbow has gained attention for topping a U.S. leaderboard on the bug bounty platform HackerOne. Similar to Big Sleep, many of these AI-powered bug hunters incorporate human verification to confirm the validity of reported vulnerabilities. Vlad Ionescu, co-founder and CTO of RunSybil, praised Big Sleep as a “legit” project, attributing its credibility to “good design, people behind it know what they’re doing, Project Zero has the bug finding experience and DeepMind has the firepower and tokens to throw at it.”
Despite the immense promise, these AI tools also present challenges. Software maintainers have voiced concerns about an increase in “hallucinated” bug reports generated by AI, which some have likened to “AI slop” in the bug bounty landscape. Ionescu previously noted, “That’s the problem people are running into, is we’re getting a lot of stuff that looks like gold, but it’s actually just crap.” This underscores the ongoing need for human oversight in the nascent field of AI-driven vulnerability discovery.
