SearchSupportFree trial
Contact us
Podcast

Root Causes 543: AI Finds a Zero Day

Hosted by
Tim Callan
Chief Compliance Officer
Original broadcast date
November 5, 2025

We have seen the first known instance of an AI tool discovering a zero-day vulnerability. This could have vast implications on vulnerability detection and bug bounty programs. We discuss the implications.

Podcast Transcript

Tim CallanTim CallanAll right, Jason, you called my attention to an article. Let me just say what it is. It was written by Sean Heelan blog post, May 22, 2025 on Sean's blog. And the title of it is How I Used o3 to Find. So tell me about this.
Jason SorokoJason SorokoSean Heelan, white hat researcher. I believe this is the first publicly talked about instance where a large language model was fed a lot of code and it found a zero day. That's a big deal. According to the article, 12,000 lines of code - that's a lot - in Linux kernel, and specifically found a zero day in the SMB server. So this was Open AI’s o3 model, and I talked to you earlier during the recording sessions today about how I found o3 to be just remarkable in its inventiveness and its ability to come up with original thoughts. But it's also, because of its reasoning engine, it’s able to look at code like a couple steps back and look at it like a white hat researcher would. And so zero day popped up, and it was a published CVE by Sean. And good on him for admitting, hey man, I just threw this into o3. He did a lot of work. It wasn't like he threw it into o3 and it just found it. He threw it in and threw it in and ran it and ran it and ran it. I think it cost him a little over 100 bucks in API calls. That’s what was claimed in the article. And I think he tried other reasoning engines, reasoning LLMs as well. And o3 just happened to pop out the correct answer of the zero day a little more often than the other ones. So he actually did a lot of good AI research in not just finding the zero day. What does that mean, Tim? I'm going to state the obvious, and then I'm going to get your reaction. Well, now that we see that, I think the floodgates are wide open.
Tim CallanTim CallanI completely concur. A bunch of things occur to me. One of them is, if you can find a zero day for 100 bucks, you could just arbitrage bug bounty programs for starters.
Jason SorokoJason SorokoThat may be one of the biggest arbitrage opportunities in the world right now.
Tim CallanTim CallanJust pay $100 for a bug and, make a couple grand for it, and just do this as fast as you can.
Jason SorokoJason SorokoHey, there's a GitHub of Oracle, Microsoft, find me stuff.
Tim CallanTim CallanAbsolutely. And, then connected to that, I would kind of say, and good. I mean, the bug bounty programs are there because they want to find the bugs. If they're paying on bugs that they want to find anyway, and if this model makes it possible for people to more effectively find them before we find the zero days the hard way, then good. Ain't nothing wrong with it at all. It just seems like an obvious thing that people are going to be doing. The second thing that occurs to me, though, is if you have access to a huge amount of LLM compute, and you're wearing the black hat, why aren't you doing this exact same thing ASAP and putting those in in your zero day cache.
Jason SorokoJason SorokoI guarantee it's happening. As we speak. Because, Sean Heelan, white hat, he blogged about it and tell us about full disclosure. And of course, that's great, because Linux can, you know, the colonel people can get put the patch in. And that's great. The bad guys are banking zero days.
Tim CallanTim CallanYou bet the flood gates are open. So two things occur to me. The first one is, if you are a bug bounty researcher, the opportunity is there to essentially arbitrage a bug. If I can pay $100 to find a bug, and I will be paid $1,000 by the software developer, why would I not be finding these things as fast as I conceivably could be? And I'm sure people are.
Jason SorokoJason SorokoI guarantee it, and so are the bad guys.
Tim CallanTim CallanThen the other side is, if I'm wearing the black hat, and I have a large amount of resources available to me, I should be banking these things as fast as I conceivably can.
Jason SorokoJason SorokoZero question, and that leads itself even to into nation states should have unbelievable power to be able to search code bases for all sorts of things.
Tim CallanTim CallanAnd there's so much code out there. There's so many places to look at. Now, the one thing that occurs to me is that the tools are very similar for both sides of this race. So if I'm the black hat, I'm using tools and techniques that are an awful lot like what the white hat is using, which means that there may be a more limited time window on these AI discovered flaws. If we're doing it the old fashioned way, if we are a nation state with a lab somewhere where our guys are looking for zero days and they're putting those zero days away, just from the articles and stuff that I read sometimes these guys sit on these things for years. And it may be that sitting on this for years isn't really a viable strategy in the new world, because the way I discovered it is available to the other side, and I have a high degree of confidence that somebody over there is using very similar techniques to what I use to find this in the beginning.
Jason SorokoJason SorokoThere's an old saying in hotel and airline loyalty points programs - earn and burn. I think the black hat economy of zero days is going to be maybe a little bit more earn and burn.
Tim CallanTim CallanSo, they'll be a little more aggressive and faster in their use of these zero days on the assumption that the likelihood that it just gets pulled out from under their feet is much higher than it would have been with a zero day that was discovered the old way.
Jason SorokoJason SorokoHyper automation everywhere and, acceleration due to new toolsets such as reasoning tools is changing everything. That's why we said in an earlier podcast, AI isn't the elephant the room, it is the room. Because it's fundamentally changing every aspect of just about everything we are doing. So same as everybody else. We're a very niche topic of PKI, cybersecurity, digital identity, but it affects us as much as affects anybody else.
Tim CallanTim CallanThat's a big outcome.
Jason SorokoJason SorokoIt's the beginning of a change. And this zero day wasn't like something that was like something you could discover with a fuzzer. Fuzzers are things that tools that are meant to look for specific kinds of problems, like a buffer overflow. This was found by reasoning. I said to you earlier today, o3 has a sparkle of inventiveness to it. Now, it’s got problems, and if you use it improperly and sometimes it doesn't do well, but, my goodness, you give it a half a chance, it can surprise you with original thought and thoughts you never would have had, and even thoughts white hat researchers - black hats - wouldn't have either. And therefore that inventiveness is so important when the game is about diagonal thinking. Finding zero days that are not just buffer overflows is about diagonal thinking. That's the greatest black hats and white hats that exist. That's how their brains are oriented. They don't look at a system the way it was designed to work. They are masters of how it should work. Masters to the point where they can turn it on its edge and go it can also work this way, in ways the people who designed it never thought. So imagine taking the greatest diagonal thinker in the world right now, which might be the o3 model, and putting it against these problems. Like to me, we will look at o3 one day and go, that's primitive.
Tim CallanTim CallanFor sure. Absolutely. And so that's the other interesting thing, is start to imagine, you say, Okay, well, right now, this revelation now is probably transforming white hat and black hat research and the whole bug bounty philosophy and all that stuff will transform fast. So then you start to imagine, imagine the capabilities of a 10 years from now AI.
Jason SorokoJason SorokoEnd of 2025 AI. 10 years?
Tim CallanTim CallanI mean, what is that? Like you could imagine it being a really, really good thing, because you apply the power of this very powerful AI to making our code solid and robust in the first place, and you can't find a vulnerability that isn't there. On the other hand, you could imagine coming up with a whole new category of exploit that we just don't even consider today. And it's like the whole arms race thing just continues.
Jason SorokoJason SorokoSo Tim, you and I are going to have future podcasts on the application of AI against post-quantum algorithms and their implementations.
Tim CallanTim CallanWe do need to discuss that. That seems like another obvious one, and maybe against non-post-quantum algorithms. The application of RA on attacking RSA and ECC.
Jason SorokoJason SorokoWell, Michele Mosca himself said, look, we kind of drained the resources ceased to really look at breaking RSA.
Tim CallanTim CallanThat was Michele’s point. Was no cutting edge researcher is going to put their attention on RSA when it's more likely to break one of these post-quantum algorithms, and also it's more important to break them right. And if you want to make your career and get tenured, you're going to do it by finding that fall on MLDSA, not by finding that fall on RSA.
Jason SorokoJason SorokoPerfect.
Tim CallanTim CallanAgreed. Understood. However, if I've got all the compute I want, why wouldn't I try to break RSA while I'm at it?
Jason SorokoJason SorokoAnd I'm thinking of nation states who have all sorts of motivation to break RSA with a classic computer.
Tim CallanTim CallanAnd who know perfectly well, as you and I have discussed in many episodes in this podcast, that there's going to be a whole lot of RSA for a whole long time, including beyond 2035 whether we want it or not.
Jason SorokoJason SorokoHere is my final thought on this, Tim, which is, okay, so for those of you who might not understand the implications of some of the words, o3 is a reasoning model, and what solved this was reasoning. Not math. Reasoning.
Tim CallanTim CallanYes. Fair enough.
Jason SorokoJason SorokoSo reasoning is now at the point where it can not just look at code, but step back 15 paces and go - -
Tim CallanTim CallanWhat does this code mean? What's it for? What are the implications of it? Yes.
Jason SorokoJason SorokoAnd thinking diagonally, the way a white hat or a black hat would. So o3 reasoning models, we now know we can. But some of these problems, like, for example, number systems, of which human beings have been thinking about for, like, what 200 something years plus. And that's why RSA is so bloody strong, because we have 200 years of the best minds in the world who thought about number theory. And the unique nature of prime numbers on top of it is just incredible. However, thinking diagonally is not something that a lot of mathematicians are particularly great at. A lot of mathematicians are great at math because they're great at the math that was defined for them. Like, who were the true greats? Like, I'm thinking of Newton. And Leibniz coming up with calculus. Like they invented a new form of math in order to express ideas that just couldn't be expressed any other way. And what I'm thinking is this. Because mathematicians - God love them - they're also purists and pedantic about well, this is the math. And there's very few mathematicians who like, I'm going to make new math. Well, AI, as good as the reasoning models have become, it's even better at math. So if you add that inventiveness to pure math skills to today's and near tomorrow's AI, to me, becomes like, wow. My gut feel says to me that number theory will be solved.
Tim CallanTim CallanI was gonna say you could extrapolate from that. And we're obviously a PKI podcast, so we're trying to stay focused on the cryptography, but the implications of all of what you're saying, I think, are applicable to math much more broadly than our narrow cryptographic concerns.
Jason SorokoJason SorokoAbsolutely.
Tim CallanTim CallanI think they're applicable pretty universally.
Jason SorokoJason SorokoI find it interesting how mathematicians are particularly interested in cryptography because it's such a cool math problem. But you're right, math in general is a gigantic topic. Therefore, wow. Implications are incredible. I mean, Michele Mosca himself said AI will be an accelerative tool to anybody in the field. If you have a really good mathematician who knows how to use AI, that’s a powerful person. And I'm just making the point here, Tim, that we just saw reasoning, non-math reasoning being strong enough to find zero days. I say that if you look at the benchmarks of what AIs, are actually good at right now, they're probably better at math than anything and the acceleration of AI capabilities, to me, they're accelerating faster in math skills than in anything else. And I think that that will be an interesting moment, and it probably won't be that long from now where the world's greatest mathematician won't be as smart as an AI. An off-the-shelf consumer AI. Massive implications.
Tim CallanTim CallanMassive implications. All right, wow. Well, that was a bit of a ramble, but that was a really interesting time.
Jason SorokoJason SorokoThat’s where we are in the state of the world right now. Stay tuned. Thanks, Tim.
Tim CallanTim CallanStay tuned.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!

Listen on Apple PodcastsListen on SpotifyListen on SoundCloud