AI has found 50 bugs in cURL. "AI-native SASTs work well"
11 hours ago
- #Open Source
- #AI Security
- #Vulnerability Research
- Joshua Rogers used AI-based tools to find 50 real bugs in libcURL, impressing maintainer Daniel Stenberg.
- AI-generated bug reports were previously considered 'slop' but now show potential for finding overlooked vulnerabilities.
- Traditional static analysis tools missed bugs that AI tools like ZeroPath detected.
- Daniel Stenberg acknowledged the quality of AI findings, marking a shift from earlier skepticism.
- Joshua Rogers' method involves using AI tools from multiple angles and manual review.
- Generative AI excels by understanding both natural and programming languages, spotting misalignments in logic.
- Some discovered bugs were in old, unused code, leading to its retirement rather than fixing.