Google’s AI Bug Hunter ‘Big Sleep’ Uncovers 20 Security Vulnerabilities
Google’s cutting-edge AI security researcher, known as Big Sleep, has made its inaugural contribution to cybersecurity by identifying and reporting its first batch of security vulnerabilities.
Heather Adkins, Google’s vice president of security, announced on Monday that Big Sleep, an AI tool developed collaboratively by Google’s AI division DeepMind and its elite hacking unit Project Zero, has successfully found and reported 20 flaws.
These vulnerabilities were primarily discovered in popular open-source software, including the widely used audio and video library FFmpeg and the image-editing suite ImageMagick.
As the reported vulnerabilities have not yet been fixed, specific details regarding their impact or severity are being withheld by Google. This is a standard procedure to allow developers ample time to patch the issues before public disclosure.
The significance of Big Sleep’s findings lies in its demonstrated ability to yield real-world results, even though a human expert is involved in the reporting process. Google clarified that while a human expert validates the reports for quality and actionability, the AI agent itself was responsible for finding and reproducing each vulnerability without direct human intervention during the discovery phase.
“To ensure high quality and actionable reports, we have a human expert in the loop before reporting, but each vulnerability was found and reproduced by the AI agent without human intervention,” a Google spokesperson, Kimberly Samra, told TechCrunch. Royal Hansen, Google’s vice president of engineering, echoed the sentiment, stating on X that these findings represent “a new frontier in automated vulnerability discovery.”
The emergence of LLM-powered tools capable of identifying vulnerabilities is rapidly becoming a reality. Alongside Big Sleep, other notable AI security researchers like RunSybil and XBOW are contributing to this evolving landscape, with XBOW notably reaching the top of a U.S. leaderboard on the bug bounty platform HackerOne.
Vlad Ionescu, co-founder and chief technology officer at RunSybil, described Big Sleep as a “legit” project, praising its solid design and the expertise of its creators, including Project Zero’s experience and DeepMind’s computational power. However, the increasing reliance on AI in bug hunting also presents challenges. Maintainers of various software projects have reported an influx of AI-generated bug reports that are often inaccurate or “hallucinated,” leading some to dub them the “bug bounty equivalent of AI slop.”
Ionescu highlighted this concern, stating, “That’s the problem people are running into, is we’re getting a lot of stuff that looks like gold, but it’s actually just crap.” This underscores the ongoing need for careful human review and refinement of AI security tools to ensure their effectiveness and reliability.
