TLDR: depthfirst’s production autonomous security agent discovered 21 zero-day vulnerabilities in FFmpeg, after intensive security analysis by Google and Anthropic. Moving beyond theoretical analysis, our agent produces concrete, reproducible PoC inputs to confirm its findings at a fraction of the costs ($1k vs. $10k). Several of the findings had been sitting latent for 15 to 20 years. We explored the exploitability of the issues and developed a PoC demonstrating a RCE exploit primitive.
Unfortunately, these AI-discovered exploits seem like they’re here to stay. It’s just wishful thinking to imagine that we’d somehow fix all the bugs, so we’re just gonna have to live with endless day-zeroes forever.