Finding, fixing, and sharing software vulnerabilities is a challenge on the easiest of days. With all of the standards, formats, channels, and personalities, it can feel like an insurmountable hill to climb. Just when we thought we had sorted it out with the Vulniverse Alphabet Soup Guide to help clear up the Coordinated Vulnerability Disclosure (CVD) process, along comes new adventures thanks to AI in the form of Cyber Reasoning Systems (CRS). These new tools are capable of autonomously finding and fixing bugs in open source software. How will CRS’s impact the daily work of Product Security & Incident Response Teams (PSIRTs), Security Researchers, Computer Emergency Response Teams (CERTs), and Corporate Incident Response & Security Teams (CSIRTs)? How will all of this be received (or rejected) by open source project maintainers? What can we do to keep humans involved and prevent AI slop?

This session will explore the new capabilities and real world results from the open source CRS’s created through DARPA and ARPA-H’s AI Cyber Challenge (AIxCC). With the experience from dozens of zero-days being found and reported responsibly (with generated patches also being provided), we’ll review how the process and tools have been received (or rejected) by a cross-section of open source projects, and what it means for the future of CVD.

Jeff Diecks is a Technical Project Manager at The Linux Foundation leading OpenSSF’s support of the AIxCC program.

Jeff has more than two decades of experience in technology and communications with a