Google's new AI-powered bug hunting tool finds major issues in open source software

News
By published

Big Sleep issues its first 20 warnings

An image of a CPU with a bug image superimposed on it.
(Image credit: Shutterstock)
  • Big Sleep AI-powered vulnerability hunter built by DeepMind and Project Zero
  • The first batch of 20 vulnerabilities it has spotted have been announced
  • Details are under wraps to give devs time to patch them

Google's AI-powered tool designed to find bugs, Big Sleep, has reported its first batch of 20 security vulnerabilities in open source software.

Developed by AI and security teams from Google's DeepMind and Project Zero, the first vulnerabilities were found in the likes of FFmpeg and ImageMagick, however details of those vulnerabilities remain undisclosed until they have been patched.

Google says Big Sleep marks a significant step forward in app security, with AI capable of autonomously uncovering and reporting vulnerabilities more effectively than human security workers.

Big Sleep digs up the dirt on open source software bugs

Each of the 20 bugs was found and reproduced autonomously by Big Sleep, though Google notes that a human expert does review the findings before making reports public - with human review important to temper worries over false positives or hallucinated bugs by ensuring the issues are worthy of being reported to their respective developers.

Finer details like CVE IDs, technical explanations and proofs of concept are withheld for now under Google's 90-day policy to give developers time to patch the vulnerabilities without attackers getting in first.

"By November 2024, Big Sleep was able to find its first real-world security vulnerability, showing the immense potential of AI to plug security holes before they impact users," President of Global Affairs Kent Walker boasted in a blog post.

VP for Security Engineering, Heather Adkins, announced the news in an X post: "Today as part of our commitment to transparency in this space, we are proud to announce that we have reported the first 20 vulnerabilities discovered using our AI-based "Big Sleep" system powered by Gemini."

Google keeps a full list of vulnerabilities, which currently includes the first 20, separated into high, medium and low impact issues.

Google plans a full technical briefing at the upcoming Black Hat USA and DEF CON 33 events, and will donate anonymized training data to the Secure AI Framework so other researchers can benefit from the tech.

You might also like

TOPICS
Craig Hale
Craig Hale

With several years’ experience freelancing in tech and automotive circles, Craig’s specific interests lie in technology that is designed to better our lives, including AI and ML, productivity aids, and smart fitness. He is also passionate about cars and the decarbonisation of personal transportation. As an avid bargain-hunter, you can be sure that any deal Craig finds is top value!

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.