- Big Sleep AI-powered vulnerability hunter built by DeepMind and Project Zero
- The first batch of 20 vulnerabilities it has spotted have been announced
- Details are under wraps to give devs time to patch them
Google’s AI-powered tool designed to find bugs, Big Sleep, has reported its first batch of 20 security vulnerabilities in open source software.
Developed by AI and security teams from Google’s DeepMind and Project Zero, the first vulnerabilities were found in the likes of FFmpeg and ImageMagick, however details of those vulnerabilities remain undisclosed until they have been patched.
Google says Big Sleep marks a significant step forward in app security, with AI capable of autonomously uncovering and reporting vulnerabilities more effectively than human security workers.
Big Sleep digs up the dirt on open source software bugs
Each of the 20 bugs was found and reproduced autonomously by Big Sleep, though Google notes that a human expert does review the findings before making reports public – with human review important to temper worries over false positives or hallucinated bugs by ensuring the issues are worthy of being reported to their respective developers.
Finer details like CVE IDs, technical explanations and proofs of concept are withheld for now under Google’s 90-day policy to give developers time to patch the vulnerabilities without attackers getting in first.
“By November 2024, Big Sleep was able to find its first real-world security vulnerability, showing the immense potential of AI to plug security holes before they impact users,” President of Global Affairs Kent Walker boasted in a blog post.
VP for Security Engineering, Heather Adkins, announced the news in an X post: “Today as part of our commitment to transparency in this space, we are proud to announce that we have reported the first 20 vulnerabilities discovered using our AI-based “Big Sleep” system powered by Gemini.”
Google keeps a full list of vulnerabilities, which currently includes the first 20, separated into high, medium and low impact issues.
Google plans a full technical briefing at the upcoming Black Hat USA and DEF CON 33 events, and will donate anonymized training data to the Secure AI Framework so other researchers can benefit from the tech.