Big Sleep, the LLM-powered vulnerability research agent developed by Google DeepMind and Project Zero (Google's elite team of hackers), has reported its first batch of confirmed security flaws—20 in total—across widely used open source software.

Announced Monday by Heather Adkins, Google’s vice president of security, the Big Sleep system has successfully reported 20 security vulnerabilities in a range of open source projects. These include software libraries used for audio, video, and image processing, such as FFmpeg and ImageMagick.

While technical details on the bugs have not yet been released—standard practice to allow time for patching—Google emphasized the significance of this early success, as it demonstrates that AI-driven tools are now producing real-world results, even when supported by human oversight.

In a statement to TechCrunch, Google spokesperson Kimberly Samra clarified that although a human expert reviews each submission, “each vulnerability was found and reproduced by the AI agent without human intervention.” The expert acts only as a final quality gate to ensure reports are actionable and high quality.

The approach mirrors that of other LLM-based cybersecurity tools now in development or deployment, combining AI scalability with human oversight to minimize false positives and hallucinations.

On social media, Royal Hansen, Google’s vice president of engineering, called the discovery a demonstration of “a new frontier in automated vulnerability discovery.”

Big Sleep joins a growing cohort of AI systems aimed at security auditing, including projects like RunSybil and XBOW, which have already made waves in bug bounty programs such as HackerOne.

Commenting on the legitimacy of Big Sleep, Vlad Ionescu, CTO and co-founder of RunSybil, told TechCrunch:
“It has good design, people behind it know what they’re doing, Project Zero has the bug finding experience and DeepMind has the firepower and tokens to throw at it.”

While Big Sleep’s debut is promising, it comes amid broader scrutiny of AI-generated bug reports. Some open source maintainers have criticized the influx of false positives—hallucinated vulnerabilities submitted by automated tools in pursuit of bug bounties.

“That’s the problem people are running into,” Ionescu said in a previous interview. “We’re getting a lot of stuff that looks like gold, but it’s actually just crap.”

The risk of AI flooding developers with noisy or invalid reports remains a key concern as these tools gain wider use.

Q: What is Big Sleep?
A: An AI-powered vulnerability research agent developed by Google DeepMind and Project Zero.

Q: What did Big Sleep find?
A: It autonomously discovered and reproduced 20 security vulnerabilities in open source software.

Q: Was there human involvement?
A: Yes—human experts reviewed the findings, but the AI identified and reproduced the bugs independently.

Q: What software was affected?
A: Vulnerabilities were reported in tools like FFmpeg and ImageMagick.

Q: How does this compare to other AI tools?
A: Projects like RunSybil and XBOW also perform AI-assisted bug hunting, often with human review built in.

Big Sleep’s results mark a turning point in AI-powered vulnerability discovery, where language models are not just parsing code but actively surfacing real-world flaws—at scale. By embedding such tools into existing security workflows with expert oversight, companies like Google are exploring how AI can enhance software integrity without overwhelming developers.

As adversaries increasingly automate their own attacks, advances like Big Sleep may give defenders a much-needed edge.

This could be the beginning of a new chapter where AI defends open source just as fast as it might threaten it.

Editor’s Note: This article was created by Alicia Shapiro, CMO of AiNews.com, with writing, image, and idea-generation support from ChatGPT, an AI assistant. However, the final perspective and editorial choices are solely Alicia Shapiro’s. Special thanks to ChatGPT for assistance with research and editorial support in crafting this article.