Google’s experimental AI-powered vulnerability hunter has flagged its first set of security issues. According to Heather Adkins, Google’s VP of Security, the system has already identified 20 bugs across well-known open-source software libraries.
The AI tool in question, codenamed Big Sleep, was developed by DeepMind in collaboration with Google’s elite security team, Project Zero. Adkins confirmed that these early findings mostly target tools like FFmpeg — a widely used audio and video library — and ImageMagick, an open-source image processing suite.
The vulnerabilities themselves haven’t been publicly detailed yet. That’s standard practice until patches are issued. However, Google says the important bit is that Big Sleep autonomously found and reproduced the bugs, albeit with a human security analyst reviewing the findings before formal disclosure.
“Each vulnerability was found and reproduced by the AI agent without human intervention,” confirmed Google spokesperson Kimberly Samra. “To ensure high-quality and actionable reports, we have a human expert in the loop before reporting.”
Royal Hansen, who leads engineering for Google’s security team, called it “a new frontier in automated vulnerability discovery” in a post on X.
Big Sleep joins a growing list of AI tools now capable of discovering software flaws. Competitors like RunSybil and XBOW have already made headlines in the security world, particularly after XBOW climbed to the top of a bug bounty leaderboard hosted by HackerOne.
Vlad Ionescu, CTO and co-founder at RunSybil, said Big Sleep is “legit,” praising its design and the depth of experience behind it. “Project Zero has the bug finding experience and DeepMind has the firepower and tokens to throw at it,” he told TechCrunch.
Despite the early promise, not everyone is sold on AI bug hunters. Developers running open-source projects have warned of low-quality or hallucinated bug reports, calling some of them the bug bounty equivalent of AI slop.
“That’s the problem people are running into. We’re getting a lot of stuff that looks like gold, but it’s actually just crap,” Ionescu added.
Whether Big Sleep avoids that pitfall remains to be seen, but its early success suggests AI-led vulnerability discovery is no longer a theoretical promise. It’s already here — and it’s finding flaws at scale.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
