Google has announced a significant achievement in AI-led security research. Its new AI system, Big Sleep, has identified 20 security vulnerabilities in several popular open-source software tools.
The announcement came on Monday from Heather Adkins, Google’s Vice President of Security.
She confirmed that the vulnerabilities were found by the AI system with minimal human assistance.
Big Sleep is a project developed jointly by DeepMind, Google’s AI division, and Project Zero, its well-known team of security experts.
This collaboration marks a new phase in the evolution of AI in cybersecurity.
How Big Sleep Works
Big Sleep uses a large language model (LLM) to scan software for potential flaws. It analyzes code, identifies patterns, and flags vulnerabilities.
However, before reporting any findings, a human expert steps in to verify the AI’s results and ensure the report meets Google’s quality standards.
According to Google spokesperson Kimberly Samra, each vulnerability was “found and reproduced by the AI agent without human intervention.”
The human input occurs only at the final stage, to confirm accuracy. This human-in-the-loop system ensures that the vulnerabilities reported are both legitimate and actionable.
Bugs
Big Sleep’s first successful findings include flaws in FFmpeg, a widely used audio and video processing library, and ImageMagick, a common tool for editing and converting images.
Both tools are critical parts of many systems and applications across the web. Yet, Google has not shared the specific nature of the flaws.
The company will release more details after software maintainers issue the necessary fixes. This is standard practice in responsible disclosure.
Industry Reaction
The announcement has drawn attention from across the tech industry.
Royal Hansen, Google’s Vice President of Engineering, stated that the discovery shows “a new frontier in automated vulnerability discovery.”
Several other AI-based bug-hunting tools already exist, like RunSybil and XBOW.
All these tools follow a similar pattern. The AI identifies possible bugs, while human experts verify and submit the reports.
Experts believe that this hybrid approach, AI for discovery, humans for verification, is likely to define the near future of security research.
Benefits and Challenges of AI Bug Hunting
AI can scan code faster than humans. They can also spot subtle patterns that people might miss.
Yet some developers report false positives; bug reports that seem valid but turn out to be incorrect.
This issue is not unique to Big Sleep, it affects other AI tools as well. In some cases, developers have called these reports the “AI slop” of bug hunting.
Vlad Ionescu, co-founder and CTO at RunSybil, has voiced concern. “We’re getting a lot of stuff that looks like gold,” he said, “but it’s actually just crap.”
These false positives can waste time and resources. That is why human oversight remains crucial.
