AI System Discovers 12 OpenSSL Zero-Days, Curl Cancels Bug Bounty Due to AI Spam

AISLE's automated AI system for cybersecurity discovery found all 12 zero-day vulnerabilities in OpenSSL's recent security release, while curl cancelled its bug bounty program due to AI-generated spam submissions. This represents the first real-world demonstration of AI-based cybersecurity at this scale against heavily audited infrastructure.

Key Details from the Source

The AI system discovered vulnerabilities in OpenSSL, which underpins encryption for at least two-thirds of the world's internet traffic. The system operates under the pseudonym "Giant Anteater" in bug bounty programs and aims to turn elite security research into a repeatable industrial process.

Previous results from Fall 2025 included:

• CVE-2025-9230: Out-of-bounds read/write in RFC 3211 KEK unwrap operation for CMS password-based encryption, potentially leading to memory corruption or code execution. This bug had been present since 2009.
• CVE-2025-9231: Timing side-channel in SM2 elliptic-curve signatures on 64-bit ARM, where execution time variations could allow private key recovery through remote observation.
• CVE-2025-9232: Out-of-bounds read in HTTP client no_proxy handling when parsing IPv6 hosts, triggering a controlled crash.

The system handles the full loop including scanning, analysis, triage, and exploit construction. OpenSSL maintainers are famously conservative about issuing CVEs, making their acceptance a stringent external benchmark.

Meanwhile, curl cancelled its bug bounty program due to a flood of AI-generated spam submissions, even as AISLE reported 5 genuine CVEs to them. This illustrates AI's dual impact: collapsing the median quality of submissions while raising the ceiling for discovering real zero-days in critical infrastructure.

The Frontier of the Year 2025 forecasting project placed AI-driven vulnerability discovery in critical infrastructure at #3 overall by expected impact, with a 0.9 probability of generalizing.