Google’s AI-Powered Bug Hunter ‘Big Sleep’ Identifies 20 Security Vulnerabilities for the First Time

Heather Adkins, Vice President of Google’s Security Division, announced on Monday that the company’s AI division DeepMind, in collaboration with Hacker Team Project Zero, has developed an LLM-based vulnerability researcher called ‘Big Sleep.’ For the first time, Big Sleep has discovered and reported 20 security vulnerabilities in various popular open-source software.

Adkins said that these vulnerabilities identified by Big Sleep have not yet been fixed, so the full impact and severity are not yet clear. According to Google’s policy, such information is not disclosed until the bugs are patched. Nevertheless, this discovery is significant because it shows that AI-based tools are starting to produce real results, though a human expert verified the reports beforehand.

Google spokesperson Kimberly Samra said,
“Each vulnerability was discovered and reproduced by the AI agent itself, but an expert verified it before reporting.”
Google’s Engineering Vice President Royal Hansen added,
“This is a new frontier in automated vulnerability discovery.”

In addition to Big Sleep, other LLM-based bug hunters like RunSybil and XBOW are already operational. Notably, XBOW has ranked top on the HackerOne bug bounty platform. However, human verification remains essential to ensure the AI accurately identifies true vulnerabilities.

RunSybil’s co-founder and CTO Vlad Ionescu described Big Sleep as a “credible project.” He said,
“There are knowledgeable people behind it, experienced in Project Zero bug hunting, with DeepMind providing technical strength.”

However, some challenges exist with this technology. Software maintainers have complained that many AI-generated bug reports are false positives or “hallucinations,” sometimes referred to as ‘AI slop’ or low-quality reports.

Ionescu commented,
“Often, we receive things that look like gold but turn out to be junk.”

These AI-driven bug hunting tools have opened new possibilities in technology and security, promising faster identification and patching of software vulnerabilities in the future.