AI tools like Claude Code can find hundreds of vulnerabilities but struggle to get them fixed, overwhelming open-source maintainers and creating a backlog of unpatched security holes.
AI has gotten remarkably good at finding software vulnerabilities, but security researchers warn that this capability is creating more problems than it solves. While tools like Anthropic's Claude Code can identify hundreds of potential security flaws, the vast majority remain unpatched, leaving systems exposed and maintainers overwhelmed.
The issue came to light when Anthropic touted Claude Code Security's ability to find "over 500 vulnerabilities in production open-source codebases." However, security experts point out that only two or three of these vulnerabilities have actually been fixed. This disconnect between discovery and remediation is creating a new kind of security crisis.
The Discovery-Remediation Gap
Guy Azari, a former security researcher at Microsoft and Palo Alto Networks, explains the fundamental problem: "Out of the 500 vulnerabilities that they reported, only two to three vulnerabilities were fixed. If they haven't fixed them, it means that you haven't done anything right."
The issue isn't that AI can't find bugs—it's that finding them is only the first step in a complex process. Security teams need to validate findings, assess real-world impact, coordinate with maintainers, and develop patches that work within existing code architectures. Each of these steps takes time and expertise that AI currently cannot provide.
Overwhelming Open Source Maintainers
The problem is particularly acute in the open-source community, where maintainers are already stretched thin. The curl project recently closed its bug bounty program specifically because it was receiving too many poorly crafted reports from AI systems and human researchers alike. As Azari notes, "The maintainers of curl closed their program two months ago or something like that because they just got too many false positives and they couldn't deal with the load."
This creates a vicious cycle: AI tools generate more vulnerability reports, maintainers become overwhelmed and less responsive, and the backlog of unpatched vulnerabilities grows. According to Azari, the National Vulnerability Database had a backlog of roughly 30,000 CVE entries awaiting analysis in 2025, with nearly two-thirds of reported open source vulnerabilities lacking an NVD severity score.
The False Positive Problem
AI's tendency to assume that code patterns represent vulnerabilities without understanding context creates significant noise in the vulnerability reporting process. As Azari explains from his experience at Microsoft's Security Response Center, "When AI was introduced, it just multiplied by 100x or 200x and added a lot of noise because AI assumes that these are vulnerabilities, but there wasn't like a unit that actually can show the real value or the real impact."
This flood of potentially false or low-priority vulnerabilities makes it harder for security teams to identify and address the truly critical issues that pose real threats to systems and users.
The Industry Response
Feross Aboukhadijeh, CEO of security firm Socket, acknowledges that AI tools are dramatically improving at discovering vulnerabilities, but emphasizes that "the harder part isn't finding issues anymore. It's everything that happens after."
Socket has developed Certified Patches as one potential solution—direct changes to existing dependencies that avoid the compatibility issues that can arise from updating to patched versions. This approach recognizes that the bottleneck isn't just finding vulnerabilities, but implementing fixes that don't break existing functionality.
The Future of Security
Security experts predict that we're approaching a point where vulnerability disclosures will outpace remediation capacity. As Aboukhadijeh puts it, "The competitive advantage will not belong to whoever can generate the most findings. It will belong to whoever can convert findings into safe, prioritized, low-disruption change."
This shift suggests that the future of cybersecurity will depend less on detection capabilities and more on efficient triage, validation, and patch management systems. Companies that can effectively process the flood of AI-generated vulnerability reports and turn them into actionable security improvements will have a significant advantage.
What This Means for Users and Companies
For end users, this situation means that even as AI improves at finding security flaws, the actual security of their software may not improve correspondingly. The gap between discovery and patching means vulnerabilities can remain in production code for extended periods.
For companies, the challenge is developing processes and tools that can handle the increased volume of vulnerability reports while maintaining accuracy and efficiency. This may require investment in automated validation systems, improved coordination with open-source communities, and new approaches to patch management that minimize disruption.
The security landscape is evolving rapidly, and while AI has given us powerful new tools for finding vulnerabilities, it has also created new challenges that the industry is still learning to address. The next frontier in cybersecurity won't be better detection—it will be better remediation.
Comments
Please log in or register to join the discussion