Stanislav Fort

Therefore our benchmark was completely external to us and in some cases intellectually adversarial.

We chose to focus on some of the most well-audited, secure, and heavily tested pillars of the world software ecosystem.

Among them, OpenSSL stands out.

Industry estimates suggest that at least two-thirds of the world's internet traffic is encrypted using OpenSSL and a single zero-day vulnerability in it can define a security researcher's career.

Our first OpenSSL results.

In late summer 2025, six months into starting our research, we tested our AI system against OpenSSL and found a number of real, previously unknown security issues.

In the full 2025 OpenSSL security release, four CVEs in total were announced from 2025 of the format.

There's a code block here in the text, out of which three were found, responsibly disclosed, and in some cases even fixed by us, or more precisely by our AI system.

You can read more in our original blog post.

Specifically, these were two moderate severity issues.

CVE-2025-9230.

Out-of-bounds read-write in the RFC3211KEK unwrap operation for CMS password-based encryption, potentially leading to memory corruption or code execution.

This bug had been present since 2009, undetected for over 15 years.

CVE 2025-9231.

Timing side channel in SM2 elliptic curve signatures on 64-bit ARM, where variations in execution time during modular arithmetic could in principle allow private key recovery through careful remote observation.

This is a subtle, logic-level vulnerability where the correctness of the code obscured a timing leak that only emerged under specific hardware conditions.

We also found a single low-severity CVE.

CVE 2025-9232.

Out-of-bounds read in HTTP client.

There's a code block here in the text.