FreeBSD AI-assisted Vulnerability Discovery Project launch

About the project

The FreeBSD Foundation has launched its AI-assisted Vulnerability Discovery Project with the key goal of reducing the number of exploitable vulnerabilities in the FreeBSD source code.

The 6-month project is being funded by a grant from the Alpha Omega project. The funds will be used to engage FreeBSD Security Team members under fixed-term contracts to find and patch vulnerabilities. The Security Team’s access to publicly available AI models and tokens will be provided free of charge. AI will be used for vulnerability discovery and analysis only, all patches will be manually created.  

Why this is important now

Open source codebases have become a key target for AI-assisted vulnerability scanning and this has reduced the effective time to exploitation to 0 days. The FreeBSD Project has already received a number of credible vulnerability reports that are attributable to AI-enabled security tools. 

The implications of this include: 

• It is possible for malicious actors to find exploitable vulnerabilities and use them before anyone else is aware of them. This increases the risk for open source users and harms trust.
• Anyone with a moderate technical skillset can find and report vulnerabilities if they use an AI-assisted security tool. This can lead to a rapid increase in report numbers and a potential decrease in report quality. Dealing with this change in dynamic can be challenging for open source projects. 

These risks have been recognized by many in the software industry – the Linux Foundation security initiative that this project falls under was funded by donations from Anthropic, AWS, GitHub, Google, Google DeepMind, Microsoft, and OpenAI. The initiative has the explicit goal of improving the security of open source software. 

What the project covers

The FreeBSD Foundation has received a $250k grant to secure time from key members of the FreeBSD Security team and to cover time from other staff as needed to support their work. Accessing AI models for vulnerability analysis will be free of charge for the duration of the project.

The project’s goals are to reduce the number of vulnerabilities in the FreeBSD source code and to develop practical approaches that will improve efficiency in vulnerability management.

AI will be used to find vulnerabilities that will then be manually triaged, validated and patched. As this work is carried out, there will be opportunities to improve and automate elements of the FreeBSD Security Team’s infrastructure. Some examples include: improving fuzzing capabilities for pre-merge, stable, and release branches, and for vulnerability patches, or automatically triaging vulnerability reports. This work will also be within the project’s scope. 

Initially, the FreeBSD kernel will be the focus of the project, followed by the base system userland, and the ports tree. All parts of FreeBSD may be in scope and will be addressed in priority order as time allows. 

The project team will also liaise with other similar projects being funded by Alpha Omega to mutually share and improve the work being done. 

“We are grateful to Alpha-Omega for supporting this important work. Their investment in our AI-Assisted Vulnerability Discovery project recognizes FreeBSD’s role as a critical component of global digital infrastructure. As the volume of vulnerability reports continues to grow, this funding will help us strengthen our ability to efficiently assess, prioritize, and respond to security issues, ensuring FreeBSD remains a secure and dependable platform for the many individuals, organizations, and products that rely on it worldwide.” – Deb Goodkin. Executive Director, FreeBSD Foundation.

“The FreeBSD Security Team has been receiving an increasing number of vulnerability reports from researchers leveraging AI tooling, and that volume continues to grow. This funding augments our volunteer Security Team, giving us the capacity to find, triage, and fix vulnerabilities rather than only responding to those reported to us.” – Gordon Tetlow, Security Officer, The FreeBSD Project

Project partners

The project is possible thanks to the support of many parties. In addition to the funding already mentioned, there are other important partners who will be helping to ensure a successful and impactful project. 

Netflix has agreed to help test and validate changes, particularly those involving the network stack. NetApp and Verisign will also provide input on which functional areas should be focused on for vulnerability searching, collaborate on AI-assisted scanning, and help with regression testing and validation of prospective patches.

There are also some security researchers and FreeBSD vendors that have access to Claude Mythos Preview through Project Glasswing, and they have offered to use it for supplemental discovery and analysis on our behalf where practical.

A number of other open source projects are also running similar efforts. These include Ruby, Node.js, and PHP.

Find out more

To follow the progress of the project and to access more information, please visit https://github.com/FreeBSDFoundation/all-projects/tree/main/AI-assisted-vulnerability-discovery

Meet the Engineers

This project is being staffed by several part-time engineers.

Mark Johnston

Contract Security Engineer at the FreeBSD Foundation and member of the FreeBSD Security Team.

Howdy, I’m Mark, a long(ish)-time FreeBSD developer and user since 8.1-RELEASE. I’ve worked on many different parts of the operating system, in both professional and volunteer roles, and I’m excited for this opportunity to re-examine and improve the way we handle security in the FreeBSD project.

Pierre Pronchery

Contract Security Engineer at the FreeBSD Foundation and member of the FreeBSD Security Team.

Pierre Pronchery is passionate about Open Source software and Operating System internals in particular, which has led him to join the NetBSD Foundation as Developer in 2012 and then as Director on the Board since 2017. Learning how systems work also teaches how they break, and it only made sense for him to  advise and audit major companies professionally as IT-Security Consultant, in a variety of situations involving Penetration-Testing, Incident Response, Reverse Engineering, or Red Teaming. More recently, he joined the FreeBSD Foundation as Security Engineer, where he currently helps the FreeBSD Project as Developer and member of the Security Team.

Tuukka Pasanen

Contract DevOps Engineer at the FreeBSD Foundation.

I’ve been a long-time Open Source enthusiast since 1998. I started with Linux system administration with a strong vibe of tinkering with basics of the operating system and creating artsy stuff which I still find very dear to me. During the years I’ve done development work on QNX and HP-UX (as well as AIX), I have always found my home around Linux, coding, and DevOps. Lately, I’ve been reforming my Unix roots by contracting with the FreeBSD Foundation, where I have truly appreciated its power.  For me, LLM security automation represents an exploration of new ways to secure the digital world for all of us.