Stanislav Fort
๐ค SpeakerAppearances Over Time
Podcast Appearances
AI found 12 of 12 OpenSSL zero days, while Curl cancelled its bug bounty.
This is a partial follow-up to I'll Discovered three new OpenSSL vulnerabilities from October 2025.
TLDR.
OpenSSL is among the most scrutinized and audited cryptographic libraries on the planet, underpinning encryption for most of the Internet.
They just announced 12 new zero-day vulnerabilities, meaning previously unknown to maintainers at time of disclosure.
We at I'll discovered all 12 using our AI system.
This is a historically unusual count and the first real-world demonstration of AI-based cybersecurity at this scale.
Meanwhile, Curl just cancelled its bug bounty program due to a flood of AI-generated spam, even as we reported five genuine CVEs to them.
AI is simultaneously collapsing the median, slop, and raising the ceiling real zero days in critical infrastructure.
Heading Background
We at ILE have been building an automated AI system for deep cybersecurity discovery and remediation, sometimes operating in bug bounties under the pseudonym Giant and Eater.
Our goal was to turn what used to be an elite, artisanal hacker craft into a repeatable industrial process.
We do this to secure the software infrastructure of human civilization before strong AI systems become ubiquitous.
Prisaically, we want to make sure we don't get hacked into oblivion the moment they come online.
No reliable cybersecurity benchmark reaching the desired performance level exists yet.
We therefore decided to test the performance of our AI system against live targets.
The clear benefit of this is that for a new, zero-day security vulnerability to be accepted as meriting a CVE, a unique vulnerability identifier, it has to pass an extremely stringent judgment by the long-term maintainers and security team of the project, who are working under many incentives not to do so.
Beyond just finding bugs, the issue must fit within the project's security posture, that is what they consider important enough to warrant a CVE.
OpenSSL is famously conservative here.
many reported issues are fixed quietly or rejected entirely.