This Google AI tool has found bugs in popular software
What's the story
Google's artificial intelligence (AI)-powered bug hunter, Big Sleep, has discovered its first batch of security vulnerabilities. The flaws were found in popular open-source software such as audio/video library FFmpeg and image-editing suite ImageMagick. To recall, Big Sleep was developed by DeepMind, Google's AI division, and Project Zero, an elite team of hackers.
AI autonomy
Each vulnerability was discovered and reproduced by Big Sleep
Despite a human expert reviewing the reports before they're submitted, each vulnerability was discovered and reproduced by Big Sleep without any human assistance. This was confirmed by Google's spokesperson Kimberly Samra. Royal Hansen, Google's VP of Engineering, also highlighted the significance of these findings in his X post. He described them as "a new frontier in automated vulnerability discovery."
Market competition
Other AI tools also searching for vulnerabilities
Big Sleep isn't the only AI tool looking for vulnerabilities. Other competitors in the space include RunSybil and XBOW, among others. Notably, XBOW has made headlines by topping one of the US leaderboards on bug bounty platform HackerOne. It's worth noting that human verification is usually involved at some stage of this process to confirm a legitimate vulnerability was found by an AI-powered bug hunter.
Industry outlook
Complaints about hallucinations in bug reports
The promise of AI bug hunters is huge, but there are also major downsides. Some software project maintainers have complained about hallucinations in bug reports, calling them the bug bounty equivalent of "AI slop." Vlad Ionescu, co-founder and CTO at RunSybil, a start-up that builds AI-powered bug hunters, confirmed this issue to TechCrunch.