🔍 Google’s AI Bug Hunter ‘Big Sleep’ Finds 20 Security Flaws in Open Source Software

August 5, 2025 —

Google has officially revealed that its AI-based bug hunting system, Big Sleep, has successfully discovered 20 security vulnerabilities in widely used open-source software. Developed through a collaboration between Google DeepMind and Project Zero, Big Sleep is an advanced AI agent designed to autonomously search for bugs—before attackers can exploit them.

How Google’s AI Bug Hunter Big Sleep Works

In an official blog post titled “From Naptime to Big Sleep”, Google described the system as an “agentic AI” powered by Gemini 1.5 Pro, capable of analyzing code changes, generating test cases, and identifying logic or memory-related bugs. The AI agent mimics expert human analysis by starting with known bug fixes and searching for similar patterns across massive codebases like SQLite.

The first major discovery came when Big Sleep found a critical stack-buffer underflow bug in SQLite’s seriesBestIndex() function—an issue that had gone unnoticed by traditional fuzzing tools and was patched before any public release. Since then, Google confirms that Big Sleep has uncovered 20 unique vulnerabilities across major open-source projects, including FFmpeg, ImageMagick, Redis, and several JavaScript engines.

“This is the first real-world memory safety bug found and reported by an autonomous AI agent,” said Google’s Project Zero team. “It signals a shift in how security research will be done.”

The company emphasized the impact of this AI-first approach: it allows defenders to proactively identify and fix vulnerabilities, reversing the long-held dynamic where attackers often get there first. According to Heather Adkins, Google’s VP of Security, “AI has given us a powerful advantage—it allows us to defend at scale.”

Further, in a July 2025 update, Google revealed that Big Sleep played a pivotal role in discovering CVE-2025-6965, a severe vulnerability in SQLite that was believed to be known only by threat actors. The AI not only discovered it but helped Google act before it was exploited, marking a major milestone in defensive cybersecurity.

The AI agent’s successes are now being applied across more open-source ecosystems. All reported bugs are handled through Google’s coordinated vulnerability disclosure process and are publicly tracked.