Google’s AI Discovered a Zero-Day Vulnerability

Security researchers discover zero-day vulnerabilities all the time. Zero-days are flaws that are either known or actively exploited by third-parties before the developer of the affected software has a chance to patch that vulnerability. As such, they’re the most critical security flaw to patch, as developers have “zero days” to fix the issue.

However, an AI agent of Google’s has made history as the first artificial intelligence to discover a zero-day on its own, at least that we know of. The AI is part of Google’s Project Zero, a group of security researchers looking for zero-day vulnerabilities across software—Google’s or otherwise.

On November 1, Project Zero announced it had created a large language model (LLM) that powers an AI agent that can find zero-days. To that point, the agent already found its first zero-day: an exploitable stack buffer underflow flaw in SQLite, a popular database engine. Project Zero says they reported the zero-day to SQLite’s developers last month, and the flaw was patched that very day.

These researchers hope its new AI agent can be an aid to “fuzzing” techniques when looking for flaws. Fuzzing uses randomized data to seek out issues in code. However, researchers say it’s not without its downsides. Project Zero hopes its new AI agent can make up for fuzzing’s shortcomings.