Stanislav Fort

When they accept a vulnerability, patch it, assign a CVE, and publicly credit the reporter, that's as close to ground truth as security research gets.

That's why we chose this to be our ultimate evaluation.

Subheading.

Future outlook.

We don't yet know the true underlying number of vulnerabilities in OpenSSL, so we can't say what dent we're making in its overall security.

We also don't yet know whether offense or defense benefits more from these capabilities.

Time will tell.

If we keep tracking CVE counts, severities, and real-world impact, we'll see whether this translates into meaningfully fewer exploitable bugs in production in the years to come.

I believe it will.

Here's what we do know.

AA can now find real security vulnerabilities in the most hardened, well-audited code bases on the planet.

The capabilities exist, they work, and they're improving rapidly.

I personally believe this advantage is defense.

If this pattern continues, finding and fixing vulnerabilities faster than they can be exploited, particularly in foundational libraries like OpenSSL that the rest of the ecosystem inherits from, we get compounding security returns.

The hard part was always the discovery, remediation scales more easily once you know what to fix, at least in key projects that get updated often.

We're not there yet, but the trajectory is clear.

The time of AI-driven vulnerability discovery is here, and the evidence suggests that it can be pointed at making critical infrastructure genuinely more secure.

I am therefore hopeful and positive about the future of cybersecurity in the strong AI era.

This article was narrated by Type 3 Audio for Less Wrong.

It was published on January 27, 2026.