• Decode AI
  • Posts
  • 🛡️ AI Is Now Hunting (and Exploiting) Bugs

🛡️ AI Is Now Hunting (and Exploiting) Bugs

What That Means for Cybersecurity

June 28, 2025

Hey friends,

Big news this week in the world of AI and cybersecurity: artificial intelligence isn’t just writing better code — it’s now finding dangerous flaws in it. And sometimes, it’s doing it better than human experts.

Researchers at UC Berkeley just dropped some fascinating results. They tested top-tier AI models—including those from OpenAI, Google, Anthropic, Meta, and others—on 188 open-source software projects. Using a custom benchmark called CyberGym, the AI agents discovered 17 software vulnerabilities, 15 of which were previously unknown "zero-days."

One of the standout tools? Xbow, an AI developed by a startup of the same name, now ranks #1 on HackerOne—a platform for ethical hackers—and just raised $75 million in funding.

“This is a pivotal moment,” said UC Berkeley professor Dawn Song, who led the research. She explained that with more time and resources, these AI agents could discover even more—and potentially automate both defensive and offensive cybersecurity tasks.

Here’s how the experiment worked:

  • Researchers gave the AI agents vulnerability descriptions and let them scan codebases for flaws.

  • Some agents, like OpenHands and Cybench, generated hundreds of proof-of-concept exploits.

  • In total, they found 15 new zero-days and 2 rediscovered bugs.

  • Claude Code (from Anthropic) even earned bug bounty rewards—$1,350 in bug findings and $13,862 in patch designs—at the cost of just a few hundred bucks in API usage.

Despite this, AI still has a long way to go. It only found a small fraction (about 2%) of all known vulnerabilities. “Don’t replace your human bug hunters yet,” says Luta Security’s CEO Katie Moussouris.

The takeaway? AI is rapidly becoming a double-edged sword in cybersecurity:

  • It’s helping security pros find and patch vulnerabilities faster.

  • But it also lowers the bar for attackers who previously lacked the skills to uncover these flaws.

There’s also growing concern that AI will help attackers more than defenders—at least in the near future. That’s why Song and her team have created the AI Frontiers CyberSecurity Observatory, a public effort to track just how powerful these tools are becoming.

It’s clear we’re entering a new era. AI won’t just help us build the digital world—it might also be the first to break it. The big question now: can we stay one step ahead?

What do you think—should we be excited or alarmed by AI’s growing role in hacking and securing our software?

Hit reply and let me know.

Reply

or to participate.