Adkins said that Big Sleep, which is developed by the company’s AI department DeepMind as well as its elite team of hackers from Project Zero, has reported their first ever vulnerability, mostly in open source software such as audio and video library FFmpeg and image-editing suite ImageMagick.
Given that the vulnerabilities are not to be fixed yet, we don’t have any further information regarding the impact or severity of the matter. Google will probably be releasing any details as soon as the vulnerabilities are resolved, which is standard procedure. Yet, the most significant thing is that Big Sleep succeeded in finding those vulnerabilities is a significant progress, proving that those tools are starting to get real results, even though humans were involved in this case.
Kimberly Samra reported for TechCrunch that “To ensure high quality and actionable reports, we have a human expert in the loop before reporting, but each vulnerability was found and reproduced by the AI agent without human intervention,”.
Google’s VP of engineering, Royal Hansen, wrote in a X post that those findings demonstrate “a new frontier in automated vulnerability discovery.”.
It is also worth mentioning that LLM-powered tools that can look for and find vulnerabilities are already a reality. Other than Big Sleep, there’s RunSybil and XBOW, among others.
Subscribe to our newsletter
XBOW has generated headlines after it reached the top of one of the top US leaderboards at bug bounty platform HackerOne. It’s also important to note that in the majority of cases, these reports involve a human at some point in the process in order to verify that the AI-powered bug hunter found a legitimate vulnerability, as is the case with Big Sleep.
The CEO from RunSybil, a startup that develops AI-powered bug hunters, reported for TechCrunch that Big Sleep is a “legit” project, given that it has “good design, people behind it know what they’re doing, Project Zero has the bug finding experience, and DeepMind has the firepower and tokens to throw at it.”
Kimberly Samra reported for TechCrunch that “To ensure high quality and actionable reports, we have a human expert in the loop before reporting, but each vulnerability was found and reproduced by the AI agent without human intervention,”.
Google’s VP of engineering, Royal Hansen, wrote in a X post that those findings demonstrate “a new frontier in automated vulnerability discovery.”.
It is also worth mentioning that LLM-powered tools that can look for and find vulnerabilities are already a reality. Other than Big Sleep, there’s RunSybil and XBOW, among others.
Subscribe to our newsletter
XBOW has generated headlines after it reached the top of one of the top US leaderboards at bug bounty platform HackerOne. It’s also important to note that in the majority of cases, these reports involve a human at some point in the process in order to verify that the AI-powered bug hunter found a legitimate vulnerability, as is the case with Big Sleep.
The CEO from RunSybil, a startup that develops AI-powered bug hunters, reported for TechCrunch that Big Sleep is a “legit” project, given that it has “good design, people behind it know what they’re doing, Project Zero has the bug finding experience, and DeepMind has the firepower and tokens to throw at it.”
