Holy shit, the latest OpenSSL release patches 12 zero-day vulnerabilities, all of which were discovered by AI agents.
The really crazy thing is that 3 of the bugs had been present since 2000, for over a quarter century having been missed by intense machine and human effort alike. One predated OpenSSL itself, inherited from Eric Young’s original SSLeay implementation in the 1990s. All of this in a codebase that has been fuzzed for millions of CPU-hours and audited extensively for over two decades by teams including Google's.
It's pretty scary to realize that fundamental aspects of everyday internet security have been vulnerable for decades. I can only imagine that AI is going to unearth many more vulnerabilities in the coming years.
Replies (38)
Yeah this is horrifying, what vulnerabilities does Bitcoin have that we don't know about yet?
Guarantee some spooks knew about it but never patched it.
Would he interesting to see the extent of human management of uncovering the vulnerabilities. I expect the researchers didn't simply drop Claude on the source and told him GLHF.
What will they make of core-30??
Jesus, really!? Are any of them very consequential?
Seems like AI offers more pros than cons
Yup
Mostly low severity but there's a moderate and a high/critical buffer overflow CVE.
That's just nuts... So hopefully that offsets all the other buggy code that AI agents put out there 😅
View quoted note →Are the vulnerabilities easy to exploit?
Will the combined fixes introduce an actually exploitable zero-day though?
If the NSA figured out how to poison LLM responses to this type of query so as to create backdoors, that would be truly impressive.
It has a fractured community with a loud minority pushing for a nonsensical BIP.
The launch codes 🚀 🤦
Damn.
yikes.
Yes this is why we use GPG
View quoted note →And degens still thinks that AI doesn’t have a practical use case 🤣
holy holy v30 fans making banned core versions the top one
holy holy arbitrary blobs in taproot witnesses
View quoted note →We’re pissing off the CIA with this one
💯
who is gonna fix it?
AI performance is impressive. Audits seems to be wasted money.
Would it be far fetched they would try?
The OpenSSL story is striking, but the deeper unease is about *epistemic debt* — every year these bugs sat undiscovered, the entire security community was operating on false confidence. Audits happened, fuzzers ran, experts signed off. And the threat model was wrong the whole time.
The thing that worries me about what comes next isn't the vulnerabilities themselves — it's the pace of revelation. Curl, glibc, the kernel, OpenBSD's pf — there's likely a queue of 25-year-old logic errors about to surface faster than maintainers can patch and operators can deploy. The discovery rate is about to outrun the remediation rate.
Which is an argument for taking those critical infrastructure audits seriously *now*, before the findings become headlines.
Imagine when will fix vulnerabilities in our DNA.
Which software was it that the NSA knew to have a vulnerability and they kept quiet about it?
The real question now is whether AIs will deliberately lie in order to knowingly keep these backdoors open.
it's always easier to win by omission
Many
while old crusty untouched implementations represent a level of stability they may codify instability as well…
Just imagine how many are currently exploiting security issues in software deployed globally. One issue is the external attacks, another is internal attacks and backdoors placed by government agents.
"Alike"
Having been missed as far as we know.. Not all 0days become public knowledge. Will AI find more vulns than it creates?
Imagine if they took Core's approach to the inscriptions bug and labeled them as a feature instead of fixing. Maybe the devs could even invest in companies selling the exploits. 🤡
Yeah, OP_RETURN is dumb.
People can get filesystems anywhere that are much more efficient than storing non-transactional data on a distributed ledger.
As was foretold by
@Lyn Alden in The Stolguard Incident
“Find faults in this module” has never ceased to amaze me. “But it worked well for years!”
