"AI found 12 of 12 OpenSSL zero-days (while curl cancelled its bug bounty)" by Stanislav Fort

This is a partial follow-up to AISLE discovered three new OpenSSL vulnerabilities from October 2025.

TL;DR: OpenSSL is among the most scrutinized and audited cryptographic libraries on the planet, underpinning encryption for most of the internet. They just announced 12 new zero-day vulnerabilities (meaning previously unknown to maintainers at time of disclosure). We at AISLE discovered all 12 using our AI system. This is a historically unusual count and the first real-world demonstration of AI-based cybersecurity at this scale. Meanwhile, curl just cancelled its bug bounty program due to a flood of AI-generated spam, even as we reported 5 genuine CVEs to them. AI is simultaneously collapsing the median ("slop") and raising the ceiling (real zero-days in critical infrastructure).

Background

We at AISLE have been building an automated AI system for deep cybersecurity discovery and remediation, sometimes operating in bug bounties under the pseudonym Giant Anteater. Our goal was to turn what used to be an elite, artisanal hacker craft into a repeatable industrial process. We do this to secure the software infrastructure of human civilization before strong AI systems become ubiquitous. Prosaically, we want to make sure we don't get hacked into oblivion the moment they come online.

[...]

---

Outline:

(01:05) Background

(02:56) Fall 2025: Our first OpenSSL results

(05:59) January 2026: 12 out of 12 new vulnerabilities

(07:28) HIGH severity (1):

(08:01) MODERATE severity (1):

(08:24) LOW severity (10):

(13:10) Broader impact: curl

(17:06) The era of AI cybersecurity is here for good

(18:40) Future outlook

---

First published:
January 27th, 2026

Source:
https://www.lesswrong.com/posts/7aJwgbMEiKq5egQbd/ai-found-12-of-12-openssl-zero-days-while-curl-cancelled-its

---



Narrated by TYPE III AUDIO.