Open-source software just got AI-stalked
Google’s AI bug hunter, Big Sleep, just found its first real-world security flaws.
The tool, built by DeepMind and Google’s in-house hacking team Project Zero, identified 20 flaws in widely used open-source tools like FFmpeg and ImageMagick.
We don’t have the technical details yet, since the bugs are still being fixed, but Google says the key takeaway is this: the AI found and reproduced every bug on its own.
A human expert double-checked the findings before reporting them, but the heavy lifting was all done by the model.
According to Google’s Royal Hansen, this marks “a new frontier in automated vulnerability discovery.”
In short:
Big Sleep found 20 bugs in popular open-source software
The AI discovered and reproduced the bugs without human help
Developers are warning that not all AI-found issues turn out to be real
Sleepy name, deadly aim
Other LLM-powered tools like RunSybil and XBOW are doing similar work, XBOW even topped a leaderboard on bug bounty platform HackerOne.
Still, human input remains part of the process to ensure accuracy.
Not everyone’s convinced, though. Some developers say AI-generated bug reports can be hit or miss, with a few calling them the bug bounty version of AI slop.
The only bugs I trust are the ones in my Animal Crossing town…