“Hey google can you publish the bug hunter AI and its details so we can verify?”
: “no”
The Aurora Borealis? At this time of year? At this time of day? In this part of the country? Localized entirely within your kitchen?
Yes.
May I see it?
No.
Hopefully the automated bug hunters can help keep up with the security vulnerabilities created by AI coding.
Make both of them part of the same reward function so the AI can generate vulnerabilities that the AI can immediately bug hunt.
The capitalists finally became job creators
Number of resolved tickets go up
I’ll reserve judgement until after the bugs are published. Until then, I am expecting minor issues only
I mean if these tools help catch any issues in automated fashion that’s still a win.
The false positive rate makes them a net loss.
https://daniel.haxx.se/blog/2025/07/14/death-by-a-thousand-slops/
That article isn’t referring to the specific system google is using, so we don’t know what the false positive rate is.
Uh pretty high if it’s an LLM
That’s not a given.
It’s literally the 2nd paragraph lmao
Heather Adkins, Google’s vice president of security, announced Monday that its LLM-based vulnerability researcher Big Sleep found and reported 20 flaws in various popular open source software.
But it is likely.
It really depends on how their particular system is set up. You’re just making sweeping vibe based statements without any evidence to support them.
They found ten issues, but how many hours spent filtering out the false positives?
We don’t know, however of this is security related issues then it doesn’t matter. The cost of a breach would be obviously higher.
compare to the cost of humans finding them the normal way, not whatever breach you’re imagining.
Clearly the humans didn’t find them the normal way, because they wouldn’t be there to be found otherwise would they?
The last time Google did a media run about Deepmind finding bugs, it related to a vulnerability on an dev branch that hadn’t been deployed yet (and was not likely to have been with the vulnerability).
So it found a vulnerability in the code it was given. 🤷
We don’t know the details yet. Maybe they have a great new tool; perhaps they picked projects that are not maintained so well.
It will be awesome if they found bugs in curl, not so good to show if they picked my project.
What they did will be revealed in time
I’m sure we’ll get more info in due time.
