Latest news with #RunSybil
Yahoo
4 days ago
- Business
- Yahoo
Google's ‘Big Sleep' AI Finds 20 Security Vulnerabilities in Open-Source Software
Alphabet Inc. (NASDAQ:GOOGL) is one of the most profitable growth stocks to buy according to billionaires. On August 5, Google announced that its AI-powered vulnerability researcher, named Big Sleep, has successfully found and reported 20 security vulnerabilities. Developed as a collaboration between Google's AI division, DeepMind, and its elite hacking team, Project Zero, Big Sleep is an LLM-based tool designed to find bugs without human intervention. The vulnerabilities were discovered in various popular open-source software, such as the audio and video library FFmpeg and the image-editing suite ImageMagick. While a human expert is involved in a final review to ensure the quality of the reports before they are submitted, Google confirmed that Big Sleep found and reproduced each vulnerability autonomously. Google Big Sleep is not the only AI-powered bug hunter; other projects like RunSybil and XBOW have also shown promise. Vlad Ionescu, the co-founder of RunSybil, validated Big Sleep as a legit project, noting the strong expertise and resources behind it. Alphabet Inc. (NASDAQ:GOOGL) offers various products and platforms in the US, Europe, the Middle East, Africa, the Asia-Pacific, Canada, and Latin America. It operates through Google Services, Google Cloud, and Other Bets segments. While we acknowledge the potential of GOOGL as an investment, we believe certain AI stocks offer greater upside potential and carry less downside risk. If you're looking for an extremely undervalued AI stock that also stands to benefit significantly from Trump-era tariffs and the onshoring trend, see our free report on the . READ NEXT: and . Disclosure: None. This article is originally published at Insider Monkey. Error in retrieving data Sign in to access your portfolio Error in retrieving data Error in retrieving data Error in retrieving data Error in retrieving data
WIRED
30-07-2025
- Business
- WIRED
I Watched AI Agents Try to Hack My Vibe-Coded Websit
Jul 30, 2025 2:00 PM RunSybil, a startup founded by OpenAI's first security researcher, deploys agents that probe websites for vulnerabilities—part of a new AI era for cybersecurity. Illustration:A few weeks ago, I watched a small team of artificial intelligence agents spend roughly 10 minutes trying to hack into my brand new vibe-coded website. The AI agents, developed by startup RunSybil, worked together to probe my poor site to identify weak spots. An orchestrator agent, called Sybil, oversees several more specialized agents all powered by a combination of custom language models and off-the-shelf APIs. Whereas conventional vulnerability scanners probe for specific known problems, Sybil is able to operate at a higher level, using artificial intuition to figure out weaknesses. It might, for example, work out that a guest user has privileged access—something a regular scanner might miss—and use this to build an attack. Ariel Herbert-Voss, CEO and cofounder of RunSybil, says that increasingly capable AI models are likely to revolutionize both offensive and defensive cybersecurity. 'I would argue that we're definitely on the cusp of a technology explosion in terms of capabilities that both bad and good actors can take advantage of,' Herbert-Voss told me. 'Our mission is to build the next generation of offensive security testing just to help everybody keep up.' The website targeted by Sybil was one I created recently using Claude Code to help me sort through new AI research papers. The site, which I call Arxiv Slurper consists of a backend server that accesses the Arxiv—where most AI research is posted—along with a few other resources, combing through paper abstracts for words like 'novel', 'first', 'surprising' as well as some technical terms I'm interested in. It's a work in progress, but I was impressed with how easy it was to cobble together something potentially useful, even if I had to fix a few bugs and configuration issues by hand. A key problem with this kind of vibe-coded site, however, is that it's hard to know what kinds of security vulnerabilities you may have introduced. So when I spoke to Herbert-Voss about Sybil, I decided to ask if it could test my new site for weaknesses. Thankfully, and only because my site is so incredibly basic, Sybil did not find any vulnerabilities. Herbert-Voss says most vulnerabilities tend to be the result of more complex functionality like forms, plugins, and cryptographic features. We watched as the same agents tried probing a dummy ecommerce website with known vulnerabilities owned by Herbert-Voss. Sybil built a map of the application and how it is accessed, probed for weak spots by manipulating parameters and testing edge cases, and then chained together findings, testing hypotheses, and escalating until it breaks something meaningful. In this case, it did identify ways to hack the site. Unlike a human, Herbert-Voss says Sybil runs thousands of these processes in parallel, doesn't miss details, and doesn't stop. 'The result is something that behaves like a seasoned attacker but operates with machine precision and scale,' he says. 'AI-powered pen testing is a promising direction that can have significant benefits for defending systems,' says Lujo Bauer, a computer scientist at Carnegie Mellon University (CMU) who specializes in AI and computer security. Bauer recently coauthored a study with others from CMU and a researcher from AI company Anthropic that explores the promise of AI penetration testing. The researchers found that the most advanced commercial models could not perform network attacks but developed a system that set high-level objectives like scanning a network or infecting a host, which enabled them to perform penetration tests. Sarah Guo, an investor and founder at investment firm Conviction which is backing RunSybil, says it is rare to find people who understand both AI and cybersecurity. Guo adds that RunSybil promises to make the kind of security assessment that large companies perform periodically more widely available, and on a continuous basis. 'They can do baseline penetration testing with models and tool use continuously,' she says. 'So you'll always have a view of what it really looks like to be under attack.' The techniques being developed by RunSybil may become doubly necessary as attackers develop their own AI strategies. 'We have to assume that attackers are already using AI to their benefit,' says Bauer of CMU. 'So developing pen-testing tools that use it is both responsible and likely necessary to balance the increasing risk of attack. Herbert-Voss seems like a good person to help here, since he was the first security researcher at OpenAI. 'I built all sorts of crazy things like new prototypes of polymorphic malware, spearphishing infrastructure, reverse engineering tools,' Herbert-Voss says. 'I was concerned that we didn't have a solution for when everybody gets access to language models—including the bad guys.' This is an edition of Will Knight's AI Lab newsletter. Read previous newsletters here.
Yahoo
24-07-2025
- Yahoo
AI slop and fake reports are exhausting some security bug bounties
So-called AI slop, meaning LLM-generated low quality images, videos, and text, has taken over the internet in the last couple of years, polluting websites, social media platforms, at least one newspaper, and even real-world events. The world of cybersecurity is not immune to this problem, either. In the last year, people across the cybersecurity industry have raised concerns about AI slop bug bounty reports, meaning reports that claim to have found vulnerabilities that do not actually exist, because they were created with a large language model that simply made up the vulnerability, and then packaged it into a professional-looking writeup. 'People are receiving reports that sound reasonable, they look technically correct. And then you end up digging into them, trying to figure out, 'oh no, where is this vulnerability?',' Vlad Ionescu, the co-founder and CTO of RunSybil, a startup that develops AI-powered bug hunters, told TechCrunch. 'It turns out it was just a hallucination all along. The technical details were just made up by the LLM,' said Ionescu. Ionescu, who used to work at Meta's red team tasked with hacking the company from the inside, explained that one of the issues is that LLMs are designed to be helpful and give positive responses. 'If you ask it for a report, it's going to give you a report. And then people will copy and paste these into the bug bounty platforms and overwhelm the platforms themselves, overwhelm the customers, and you get into this frustrating situation,' said Ionescu. 'That's the problem people are running into, is we're getting a lot of stuff that looks like gold, but it's actually just crap,' said Ionescu. Just in the last year, there have been real-world examples of this. Harry Sintonen, a security researcher, revealed that the open source security project Curl received a fake report. 'The attacker miscalculated badly,' Sintonen wrote in a post on Mastodon. 'Curl can smell AI slop from miles away.' In response to Sitonen's post, Benjamin Piouffle of Open Collective, a tech platform for nonprofits, said that they have the same problem: that their inbox is 'flooded with AI garbage.' One open-source developer, who maintains the CycloneDX project on GitHub, pulled their bug bounty down entirely earlier this year after receiving 'almost entirely AI slop reports.' The leading bug bounty platforms, which essentially work as intermediaries between bug bounty hackers and companies who are willing to pay and reward them for finding flaws in their products and software, are also seeing a spike in AI-generated reports, TechCrunch has learned. Do you have more information about how AI is impacting the cybersecurity industry? We'd love to hear from you. From a non-work device and network, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email. Michiel Prins, the co-founder and senior director of product management at HackerOne, told TechCrunch that the company has encountered some AI slop. 'We've also seen a rise in false positives — vulnerabilities that appear real but are generated by LLMs and lack real-world impact,' said Prins. 'These low-signal submissions can create noise that undermines the efficiency of security programs.' Prins added that reports that contain 'hallucinated vulnerabilities, vague technical content, or other forms of low-effort noise are treated as spam.' Casey Ellis, the founder of Bugcrowd, said that there are definitely researchers who use AI to find bugs and write the reports that they then submit to the company. Ellis said they are seeing an overall increase of 500 submissions per week. 'AI is widely used in most submissions, but it hasn't yet caused a significant spike in low-quality 'slop' reports,' Ellis told TechCrunch. 'This'll probably escalate in the future, but it's not here yet.' Ellis said that the Bugcrowd team who analyze submissions review the reports manually using established playbooks and workflows, as well as with machine learning and AI 'assistance.' To see if other companies, including those who run their own bug bounty programs, are also receiving an increase in invalid reports or reports containing non-existent vulnerabilities hallucinated by LLMs, TechCrunch contacted Google, Meta, Microsoft, and Mozilla. Damiano DeMonte, a spokesperson for Mozilla, which develops the Firefox browser, said that the company has 'not seen a substantial increase in invalid or low quality bug reports that would appear to be AI-generated,' and the rejection rate of reports — meaning how many reports get flagged as invalid — has remained steady at 5 or 6 reports per month, or less than 10% of all monthly reports. Mozilla's employees who review bug reports for Firefox don't use AI to filter reports, as it would likely be difficult to do so without the risk of rejecting a legitimate bug report,' DeMonte said in an email. Microsoft and Meta, companies that have both bet heavily on AI, declined to comment. Google did not respond to a request for comment. Ionescu predicts that one of the solutions to the problem of rising AI slop will be to keep investing in AI-powered systems that can at least perform a preliminary review and filter submissions for accuracy. In fact, on Tuesday, HackerOne launched Hai Triage, a new triaging system that combines humans and AI. According to HackerOne spokesperson Randy Walker, this new system leveraging 'AI security agents to cut through noise, flag duplicates, and prioritize real threats.' Human analysts then step in to validate the bug reports and escalate as needed. As hackers increasingly use LLMs and companies rely on AI to triage those reports, it remains to be seen which of the two AIs will prevail. Sign in to access your portfolio
TechCrunch
24-07-2025
- TechCrunch
AI slop and fake reports are exhausting some security bug bounties
So-called AI slop, meaning LLM-generated low quality images, videos, and text, has taken over the internet in the last couple of years, polluting websites, social media platforms, at least one newspaper, and even real-world events. The world of cybersecurity is not immune to this problem, either. In the last year, people across the cybersecurity industry have raised concerns about AI slop bug bounty reports, meaning reports that claim to have found vulnerabilities that do not actually exist, because they were created with a large language model that simply made up the vulnerability, and then packaged it into a professional-looking writeup. 'People are receiving reports that sound reasonable, they look technically correct. And then you end up digging into them, trying to figure out, 'oh no, where is this vulnerability?',' Vlad Ionescu, the co-founder and CTO of RunSybil, a startup that develops AI-powered bug hunters, told TechCrunch. 'It turns out it was just a hallucination all along. The technical details were just made up by the LLM,' said Ionescu. Ionescu, who used to work at Meta's red team tasked with hacking the company from the inside, explained that one of the issues is that LLMs are designed to be helpful and give positive responses. 'If you ask it for a report, it's going to give you a report. And then people will copy and paste these into the bug bounty platforms and overwhelm the platforms themselves, overwhelm the customers, and you get into this frustrating situation,' said Ionescu. 'That's the problem people are running into, is we're getting a lot of stuff that looks like gold, but it's actually just crap,' said Ionescu. Just in the last year, there have been real-world examples of this. Harry Sintonen, a security researcher, revealed that the open source security project Curl received a fake report. 'The attacker miscalculated badly,' Sintonen wrote in a post on Mastodon. 'Curl can smell AI slop from miles away.' In response to Sitonen's post, Benjamin Piouffle of Open Collective, a tech platform for nonprofits, said that they have the same problem: that their inbox is 'flooded with AI garbage.' One open-source developer, who maintains the CycloneDX project on GitHub, pulled their bug bounty down entirely earlier this year after receiving 'almost entirely AI slop reports.' The leading bug bounty platforms, which essentially work as intermediaries between bug bounty hackers and companies who are willing to pay and reward them for finding flaws in their products and software, are also seeing a spike in AI-generated reports, TechCrunch has learned. Contact Us Do you have more information about how AI is impacting the cybersecurity industry? We'd love to hear from you. From a non-work device and network, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or Do you have more information about how AI is impacting the cybersecurity industry? We'd love to hear from you. From a non-work device and network, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email . Michiel Prins, the co-founder and senior director of product management at HackerOne, told TechCrunch that the company has encountered some AI slop. 'We've also seen a rise in false positives — vulnerabilities that appear real but are generated by LLMs and lack real-world impact,' said Prins. 'These low-signal submissions can create noise that undermines the efficiency of security programs.' Prins added that reports that contain 'hallucinated vulnerabilities, vague technical content, or other forms of low-effort noise are treated as spam.' Casey Ellis, the founder of Bugcrowd, said that there are definitely researchers who use AI to find bugs and write the reports that they then submit to the company. Ellis said they are seeing an overall increase of 500 submissions per week. 'AI is widely used in most submissions, but it hasn't yet caused a significant spike in low-quality 'slop' reports,' Ellis told TechCrunch. 'This'll probably escalate in the future, but it's not here yet.' Ellis said that the Bugcrowd team who analyze submissions review the reports manually using established playbooks and workflows, as well as with machine learning and AI 'assistance.' To see if other companies, including those who run their own bug bounty programs, are also receiving an increase in invalid reports or reports containing non-existent vulnerabilities hallucinated by LLMs, TechCrunch contacted Google, Meta, Microsoft, and Mozilla. Damiano DeMonte, a spokesperson for Mozilla, which develops the Firefox browser, said that the company has 'not seen a substantial increase in invalid or low quality bug reports that would appear to be AI-generated,' and the rejection rate of reports — meaning how many reports get flagged as invalid — has remained steady at 5 or 6 reports per month, or less than 10% of all monthly reports. Mozilla's employees who review bug reports for Firefox don't use AI to filter reports, as it would likely be difficult to do so without the risk of rejecting a legitimate bug report,' DeMonte said in an email. Microsoft and Meta, companies that have both bet heavily on AI, declined to comment. Google did not respond to a request for comment. Ionescu predicts that one of the solutions to the problem of rising AI slop will be to keep investing in AI-powered systems that can at least perform a preliminary review and filter submissions for accuracy. In fact, on Tuesday, HackerOne launched Hai Triage, a new triaging system that combines humans and AI. According to HackerOne spokesperson Randy Walker, this new system leveraging 'AI security agents to cut through noise, flag duplicates, and prioritize real threats.' Human analysts then step in to validate the bug reports and escalate as needed. As hackers increasingly use LLMs and companies rely on AI to triage those reports, it remains to be seen which of the two AIs will prevail.
