UrsaClimb Logo

AI Can Find Hundreds of Software Bugs -- Fixing Them Is Another Story

Slashdot
by msmash
February 26, 2026
AI-Generated Deep Dive Summary
AI has proven capable of identifying software vulnerabilities at a rapid pace, with Anthropic's Claude Code Security tool detecting over 500 bugs in open-source codebases. However, the real challenge lies not in discovering these issues but in addressing them. According to experts like Guy Azari, former security researcher at Microsoft and Palo Alto Networks, only a small fraction of the identified vulnerabilities—two to three out of the 500—have been fixed. Moreover, none have received CVE (Common Vulnerabilities & Exposures) assignments, which are crucial for tracking and addressing security flaws. The bottleneck appears to be in the downstream processes of validation, coordination with developers, and creating patches that align with existing code architectures. The National Vulnerability Database (NVD) already faces a backlog of roughly 30,000 CVE entries waiting for analysis, and two-thirds of reported open-source vulnerabilities lack an NVD severity score. This delay in classification and prioritization further hinders efforts to address these issues effectively. The strain on developers is evident in cases like the curl project, which shut down its bug bounty program due to an overwhelming influx of poorly crafted reports—both from AI tools and human contributors alike. Feross Aboukhadijeh, CEO of security firm Socket, noted that while AI has made discovering vulnerabilities significantly cheaper, the process of validating findings, coordinating fixes with maintainers, and developing patches remains slow and labor-intensive. This situation highlights a critical challenge for the tech industry: as automated tools like Claude Code Security flood developers with potential issues, the human effort required to validate and resolve these problems grows exponentially. The lack of standardized severity scores and delays in CVE assignments further complicate efforts to prioritize and address vulnerabilities effectively. For readers interested in tech and cybersecurity, this underscores the need for improved processes and tools that not only detect but also streamline the resolution of software flaws. Without meaningful progress in fixing these issues, open-source projects and the broader tech ecosystem face significant risks, leaving users and organizations exposed to potential security threats.
Verticals
tech
Originally published on Slashdot on 2/26/2026