Google's AI bug hunter Big Sleep uncovers 20 security flaws in open source software

Google has announced that its AI-powered vulnerability discovery system, Big Sleep, has identified and reported 20 security flaws in popular open source software. The announcement was made by Heather Adkins, Google’s vice president of security, who confirmed that the AI agent, developed by DeepMind in collaboration with Google’s elite security team Project Zero, has successfully delivered its first batch of real-world findings. Big Sleep uncovered vulnerabilities in widely used open source projects such as FFmpeg, an audio and video processing library, and ImageMagick, an image-editing suite. While the specific details of the flaws remain undisclosed—due to Google’s standard policy of withholding information until patches are released—the fact that the AI system detected them marks a significant milestone in the evolution of automated security research. Google emphasized that while human experts reviewed and validated each finding to ensure quality and actionability, the AI agent independently discovered and reproduced every vulnerability without human intervention during the initial stages of investigation. “Each vulnerability was found and reproduced by the AI agent without human intervention,” said Kimberly Samra, a Google spokesperson, highlighting the autonomy of the system. Royal Hansen, Google’s vice president of engineering, described the achievement as a “new frontier in automated vulnerability discovery” in a post on X. Big Sleep is not the only AI-driven tool making waves in the cybersecurity space. Others, such as RunSybil and XBOW, have also demonstrated promise in identifying security flaws. XBOW, in particular, has gained attention by ranking at the top of a U.S. leaderboard on the bug bounty platform HackerOne. However, the rise of AI-powered bug hunters has also brought challenges. Some open source maintainers have raised concerns about false positives—reports based on AI hallucinations that appear credible but are not actual vulnerabilities. These so-called “AI slop” reports can overwhelm developers and waste valuable time. “People are running into the problem that they’re getting a lot of stuff that looks like gold, but it’s actually just crap,” said Vlad Ionescu, co-founder and CTO of RunSybil, a company building AI-powered security tools. He praised Big Sleep as a “legit” project, noting the strong backing from Project Zero and DeepMind, both of which bring deep expertise and substantial computational resources to the effort. While the potential of AI in cybersecurity is undeniable, the current landscape underscores the need for careful validation and human oversight. The success of systems like Big Sleep shows that AI can now contribute meaningfully to security research—but it also highlights the ongoing challenge of distinguishing genuine threats from misleading or fabricated findings.