AI program Xbow becomes top US vulnerability researcher, finding 1,000+ bugs

An AI program called Xbow has become the top-ranked vulnerability researcher in the United States on HackerOne, a platform that coordinates software bug discoveries with major companies. The achievement marks a significant milestone in automated cybersecurity, as Xbow has outperformed human researchers by discovering over 1,000 software flaws across companies including Disney, AT&T, Ford, and Epic Games.

What you should know: Xbow has submitted nearly 1,060 vulnerability reports in recent months, with 132 officially confirmed and resolved by affected companies.

• An additional 303 vulnerabilities were classified as “triaged,” meaning they’ve been acknowledged but not yet fixed, while 125 remain under review.
• The AI operates fully autonomously and can complete “comprehensive penetration tests in just a few hours,” according to its creators.
• All findings were automated, though Xbow’s security team reviews submissions before reporting to comply with HackerOne’s policies on automated tools.

The numbers game: While Xbow’s discovery rate is impressive, not all submissions represent new security issues.

• 208 reports were marked as “duplicates” of previously discovered vulnerabilities.
• Another 209 were flagged as merely “informative” rather than actionable security flaws.
• The remaining 36 submissions were declared not applicable to the target systems.

Why this matters: The results demonstrate how AI could fundamentally reshape cybersecurity through automated vulnerability discovery at unprecedented scale.

• “Notably, around 45% of Xbow’s findings are still awaiting resolution, highlighting the volume and impact of the submissions across live targets,” the Xbow team noted.
• The technology promises to help companies stay ahead of malicious hackers who are also adopting generative AI for attacks.

What critics are saying: Some cybersecurity professionals worry about the quality versus quantity trade-off in AI-generated bug reports.

• “Receiving hundreds of AI-generated bug reports would be so demoralizing and probably turn me off from maintaining an open source project forever,” wrote one user on the Hacker News forum.
• “I think developers are going to eventually need tools to filter out slop.”

The response: Brendan Dolan-Gavitt, an Xbow AI researcher, defended the program’s effectiveness against skepticism.

• “The main difference is that all of the vulnerabilities reported here are real, many quite critical,” he responded to critics.
• Others pointed out that submissions from human security researchers on HackerOne can also be of low quality.

Business implications: Xbow’s parent company is capitalizing on the technology’s success to attract customers and investors.

• Bloomberg reports that the company recently raised $75 million through a new funding round.
• The timing of the results announcement coincides with the startup’s efforts to commercialize its automated vulnerability discovery platform.