DARPA's two-year AIxCC competition challenged teams to build AI-powered Cyber Reasoning Systems (CRS) capable of finding and fixing bugs in real open source software. Backed by a $30.5M prize pool and supported by Anthropic, Google, Microsoft, and OpenAI, the competition produced 27 confirmed real-world vulnerabilities across projects like cURL, shadowsocks-libev, and mongoose. OSTIF and Ada Logics handled responsible disclosure and verification. Post-competition, tools like FuzzingBrain and OSS-CRS have continued finding vulnerabilities — FuzzingBrain alone discovered 62 vulnerabilities across 26 projects. OpenSSF has formed a Cyber Reasoning Systems Special Interest Group to host and develop these tools, with the goal of providing low-cost, automated security tooling to open source maintainers.
Sort: