<2> AI Can Find Hundreds of Software Bugs — Fixing Them Is Another Story
<3> The Promise of AI-Powered Bug Detection
The emergence of AI-powered bug detection tools has revolutionized the way software vulnerabilities are identified. Anthropic’s recent promotion of Claude Code Security, a research preview capability that utilizes its Claude Opus 4.6 model, has surfaced over 500 bugs in production open-source codebases. However, security researchers argue that the real bottleneck lies not in discovery, but in fixing these vulnerabilities.
<3> The Challenges of Validation and Patching
Guy Azari, a former security researcher at Microsoft and Palo Alto Networks, points out that only two to three of the 500 vulnerabilities discovered have been fixed, and none have received CVE assignments. The National Vulnerability Database already carries a backlog of roughly 30,000 CVE entries awaiting analysis in 2025, and nearly two-thirds of reported open-source vulnerabilities lack an NVD severity score.
<3> The Human Factor in Bug Fixing
Feross Aboukhadijeh, CEO of security firm Socket, emphasizes that while discovery is becoming dramatically cheaper, validating findings, coordinating with maintainers, and developing architecture-aligned patches remains slow, human-intensive work. The curl project