Google says its AI bug hunter, Big Sleep, has discovered 20 security flaws in popular open-source tools like FFmpeg and ImageMagick—all on its first real run. The tool, built by DeepMind and Project Zero, didn’t need human prompts to find or reproduce the bugs. Humans still reviewed and verified each one before they were reported.
Big Sleep is built around a large language model (LLM) that can scan and test code at scale, and this marks one of the first times an AI agent has spotted this many real-world vulnerabilities on its own. Google’s VP of Security Engineering, Royal Hansen, called it “a new frontier,” while Heather Adkins, another VP at Google, said the tech could help secure the open-source software millions rely on.
This isn’t Big Sleep’s first win either. The AI previously found a buffer underflow in SQLite—before it was officially documented.
Still, the AI isn’t replacing humans anytime soon. The process depends on experts to confirm what’s real and what’s noise. But it’s a strong sign that AI might soon be doing a lot more of the heavy lifting in vulnerability research—automating early discovery so that human teams can move faster.