AI System Discovers All 12 Zero-Day Vulnerabilities in Latest OpenSSL Security Release
Key Takeaways
- ▸AISLE's AI system discovered all 12 zero-day vulnerabilities in OpenSSL's latest security release, a historically unusual count for the heavily audited cryptographic library
- ▸One discovered vulnerability (CVE-2025-9230) had existed undetected since 2009, demonstrating AI's ability to find long-hidden security flaws
- ▸The achievement highlights a growing divide in AI security contributions: sophisticated systems finding genuine vulnerabilities while low-quality AI spam forces programs like curl to cancel bug bounties
Summary
AISLE, an AI cybersecurity startup, announced that its automated AI system discovered all 12 zero-day vulnerabilities disclosed in OpenSSL's latest security release. OpenSSL, which encrypts an estimated two-thirds of the world's internet traffic, is among the most scrutinized cryptographic libraries globally, making this achievement a significant milestone in AI-driven security research. The company, operating under the pseudonym 'Giant Anteater' in bug bounty programs, previously found 3 of 4 OpenSSL CVEs in fall 2025, including a bug that had remained undetected for over 15 years since 2009.
The vulnerabilities discovered span various severity levels and include out-of-bounds memory issues, timing side-channels, and parsing errors that could potentially lead to memory corruption or private key recovery. AISLE's system represents what the company calls an effort to transform elite security research from an 'artisanal hacker craft into a repeatable industrial process,' with the stated goal of securing software infrastructure before more advanced AI systems become ubiquitous.
This development comes amid a polarizing moment for AI in cybersecurity: while AISLE demonstrates AI's potential to find critical security flaws, the curl project recently cancelled its bug bounty program due to overwhelming AI-generated spam submissions, despite AISLE having reported 5 genuine CVEs to them. The company notes this dichotomy reflects AI 'simultaneously collapsing the median (slop) and raising the ceiling (real zero-days in critical infrastructure).' The achievement was recognized by the independent 'Frontier of the Year 2025' forecasting project, which ranked AI-driven vulnerability discovery in critical infrastructure as the #3 AI breakthrough of 2025 by expected impact.
- OpenSSL encrypts approximately two-thirds of global internet traffic, making these discoveries critical for worldwide internet security infrastructure
Editorial Opinion
This represents a watershed moment for AI in cybersecurity—not just because of the technical achievement, but because it demonstrates AI can now outperform traditional security auditing at scale on the internet's most critical infrastructure. The irony that curl cancelled its bug bounty amid AI spam while AISLE found genuine vulnerabilities underscores a broader pattern: AI is creating a barbell distribution of security research quality. The real question now is how quickly this technology proliferates and whether defensive AI discovery can stay ahead of offensive capabilities.
