Google’s AI-powered vulnerability researcher, Big Sleep, has made its debut with a major discovery, uncovering 20 security flaws across widely used open-source software. The tech giant announced the breakthrough on Monday through Heather Adkins, Google’s VP of Security.
Developed collaboratively by DeepMind and Project Zero, Google’s elite security team, Big Sleep leverages large language models (LLMs) to autonomously detect vulnerabilities. The AI identified flaws in prominent tools like FFmpeg, a popular multimedia framework, and ImageMagick, a widely used image-editing suite.
While the exact impact and severity of these vulnerabilities remain undisclosed, pending fixes, Google confirmed that each issue was found and reproduced entirely by the AI agent, with human experts only stepping in to validate the findings before reporting.
“To ensure high-quality and actionable reports, we have a human expert in the loop before reporting, but each vulnerability was found and reproduced by the AI agent without human intervention,” said Google spokesperson Kimberly Samra.
Royal Hansen, VP of Engineering at Google, highlighted the milestone as “a new frontier in automated vulnerability discovery,” emphasizing the growing reliability of AI in cybersecurity.
Big Sleep joins other AI-powered security tools like RunSybil and XBOW, the latter of which has already climbed leaderboards on HackerOne, a major bug bounty platform. However, experts caution that while AI tools show promise, false positives, known as “AI slop” remain a concern.
“That’s the problem people are running into,” said Vlad Ionescu, CTO and co-founder of RunSybil. “We’re getting a lot of stuff that looks like gold, but it’s actually just crap.”
Despite these challenges, industry experts agree that Big Sleep is a solid initiative with a strong foundation in both AI expertise and vulnerability research. As these tools evolve, they could dramatically reshape the landscape of cybersecurity.
