Google’s AI bug hunter just found its first security holes.
Big Sleep, Google’s LLM-powered vulnerability researcher from DeepMind and Project Zero, reported 20 flaws in popular open source software.
The bugs hit big names like FFmpeg and ImageMagick. None are fixed yet, so Google isn’t releasing severity or impact details. Standard policy. 
Google’s spokesperson Kimberly Samra told TechCrunch the AI found and reproduced every vulnerability without human help — but a human expert reviewed all reports before public disclosure.
“To ensure high quality and actionable reports, we have a human expert in the loop before reporting, but each vulnerability was found and reproduced by the AI agent without human intervention,”
Kimberly Samra, Google spokesperson
Google VP of Engineering Royal Hansen called it “a new frontier in automated vulnerability discovery.”
Big Sleep isn’t alone. AI bug finders like RunSybil and XBOW are already active. XBOW recently topped HackerOne’s U.S. leaderboard. But human validation remains critical to filter real bugs from AI “hallucinations.”
RunSybil CTO Vlad Ionescu told TechCrunch Big Sleep is “legit,” backed by Project Zero’s experience and DeepMind’s resources.
“That’s the problem people are running into, is we’re getting a lot of stuff that looks like gold, but it’s actually just crap,”
Vlad Ionescu, RunSybil CTO
AI bug hunting is advancing fast but still rough around the edges. Big Sleep’s new loot shows the promise — and the challenge — of automated vulnerability discovery.
