Hopefully the automated bug hunters can help keep up with the security vulnerabilities created by AI coding.
this post was submitted on 11 Aug 2025
30 points (100.0% liked)
technology
24027 readers
198 users here now
On the road to fully automated luxury gay space communism.
Spreading Linux propaganda since 2020
- Ways to run Microsoft/Adobe and more on Linux
- The Ultimate FOSS Guide For Android
- Great libre software on Windows
- Hey you, the lib still using Chrome. Read this post!
Rules:
- 1. Obviously abide by the sitewide code of conduct. Bigotry will be met with an immediate ban
- 2. This community is about technology. Offtopic is permitted as long as it is kept in the comment sections
- 3. Although this is not /c/libre, FOSS related posting is tolerated, and even welcome in the case of effort posts
- 4. We believe technology should be liberating. As such, avoid promoting proprietary and/or bourgeois technology
- 5. Explanatory posts to correct the potential mistakes a comrade made in a post of their own are allowed, as long as they remain respectful
- 6. No crypto (Bitcoin, NFT, etc.) speculation, unless it is purely informative and not too cringe
- 7. Absolutely no tech bro shit. If you have a good opinion of Silicon Valley billionaires please manifest yourself so we can ban you.
founded 5 years ago
MODERATORS
Make both of them part of the same reward function so the AI can generate vulnerabilities that the AI can immediately bug hunt.
The capitalists finally became job creators
Number of resolved tickets go up
"Hey google can you publish the bug hunter AI and its details so we can verify?" 
: "no"
The Aurora Borealis? At this time of year? At this time of day? In this part of the country? Localized entirely within your kitchen?
Yes.
May I see it?
No.
I’ll reserve judgement until after the bugs are published. Until then, I am expecting minor issues only
I mean if these tools help catch any issues in automated fashion that's still a win.
They found ten issues, but how many hours spent filtering out the false positives?
We don't know, however of this is security related issues then it doesn't matter. The cost of a breach would be obviously higher.
compare to the cost of humans finding them the normal way, not whatever breach you're imagining.
Clearly the humans didn't find them the normal way, because they wouldn't be there to be found otherwise would they?
We don’t know the details yet. Maybe they have a great new tool; perhaps they picked projects that are not maintained so well.
It will be awesome if they found bugs in curl, not so good to show if they picked my project.
What they did will be revealed in time
I'm sure we'll get more info in due time.
Yes, hopefully in a couple of weeks
The last time Google did a media run about Deepmind finding bugs, it related to a vulnerability on an dev branch that hadn't been deployed yet (and was not likely to have been with the vulnerability).
So it found a vulnerability in the code it was given. 🤷
I don't think anyone is suggesting that it is impossible for an LLM to find any vulnerabilities?
But right now we are specifically discussing the costs of a breach, and your post that I responded to specifically relied on a bug not being identified a person.
The discussion isn't whether an LLM can identify bugs, it's whether it can do so in a useful way. In the single previous example, it was not useful.
But similar to the last time, it is likely that the limited utility will only be known until well after the breathless reporting on how amazing AI is
In the example you provided, it found a vulnerability, which is useful, but they didn't point it at production code. The vulnerability might have been found by other tests and code reviews or it might have not been. The question of whether it's valuable or not really depends on what sort of code we're talking about and what the cost of missing a vulnerability would be.
All I'm saying here is that AI is just another tool that helps find bugs. People here freaking out over the idea that there might be legitimate uses for AI is kind of hilarious to be honest.
The false positive rate makes them a net loss.
https://daniel.haxx.se/blog/2025/07/14/death-by-a-thousand-slops/
That article isn't referring to the specific system google is using, so we don't know what the false positive rate is.
Uh pretty high if it's an LLM
That's not a given.
But it is likely.
It really depends on how their particular system is set up. You're just making sweeping vibe based statements without any evidence to support them.
Yeah, like maybe this is one of those AIs that is actually just a guy in the Philippines being paid shit wages. Or maybe it’s a dumb LLM that makes lots of mistakes. Or maybe it’s all just bullshit from TechCrunch where an underpaid journalist is just recycling a fucking press release from Google and none of this actually happened anything like how it’s written.
Or maybe new technology actually has valid applications despite the hype associated with it.
It’s not entirely impossible. But given the story is light on detail and the main source is Google PR it looks very much like a case of hypemongering.
I mean we'll see, in general stuff like finding vulnerabilities in large code bases seems like a good fit for this tech. All it's doing is making statistical inferences based on training, and this can help spot problems that would be hard to track down by hand.
It's literally the 2nd paragraph lmao
Heather Adkins, Google’s vice president of security, announced Monday that its LLM-based vulnerability researcher Big Sleep found and reported 20 flaws in various popular open source software.
what specifically do you think this paragraph says lmao