← BACK TO FEED
Chromevulnerability discoveryAI securityGooglebug bounty

Chrome Vulnerability Numbers Are Skyrocketing. AI Is Almost Certainly Why.

Google has seen a dramatic surge in Chrome vulnerability discoveries, with the number of internally found flaws jumping from a handful in March to 100 in a single advisory published on May 5, likely due to its use of AI tools. While Google has not explicitly confirmed AI is responsible, the timing aligns with its own statements that AI and automation are helping its teams remediate risks "at an unprecedented rate." Google has been developing AI-powered vulnerability discovery tools such as Big Sleep and CodeMender, and is also among a select group of organisations with access to Anthropic's powerful Claude Mythos model.

Something quietly unusual has been happening in Google's Chrome security advisories. The numbers don't lie, even if Google isn't saying much.

Back in late March and early April, a handful of Chrome vulnerabilities were being flagged as internally discovered. Then the April 15 update listed 16. The April 28 update had 21. By May 5, that figure had jumped to 100 in a single advisory, with more than 70 of the bugs in the two most recent releases traced back to Google's own teams.

Google hasn't formally credited AI for this surge. But the company recently slashed its Chrome bug bounty payouts, noting in that announcement that AI and automation are now helping staff move 'at an unprecedented rate'. That's a fairly significant clue.

The company has also been publicly enthusiastic about AI-assisted security work. It pointed out that recent advances have made it far easier to take a test case, trace the root cause of a bug, propose a fix, and identify variants of similar problems. That's a description of exactly what a well-tuned AI vulnerability scanner would do.

Google isn't alone in this. Mozilla recently credited Anthropic's Claude Mythos model with helping uncover more than 270 Firefox vulnerabilities. Microsoft and Palo Alto Networks have made similar noises about AI-assisted bug discovery in their own codebases.

As for which tool Google is actually using, that remains opaque. The company is one of around 50 organisations with access to Claude Mythos, so that's one option. But Google has also been building its own kit. Big Sleep has been in the works for a while, and this week Google published details on CodeMender, an AI security agent developed by DeepMind that uses Gemini models to autonomously identify vulnerabilities, suggest fixes, test them, and push patches with developer sign-off.

There's also the possibility Google is running tools that never get announced publicly.

When SecurityWeek asked Google directly how many of the Chrome vulnerabilities were AI-discovered, and which model or tool was involved, Google didn't respond. Which tells you something, even if it doesn't tell you everything.