Google’s DeepMind has introduced a groundbreaking AI agent named CodeMender, designed to automatically identify, fix, and rewrite vulnerable code to prevent future exploits. This development strengthens Google’s ongoing efforts in AI-driven vulnerability detection, complementing tools such as Big Sleep and OSS-Fuzz.
How CodeMender Works
CodeMender operates both reactively and proactively, meaning it not only fixes newly discovered vulnerabilities but also reviews and secures existing codebases to reduce entire classes of security risks. According to DeepMind researchers Raluca Ada Popa and Four Flynn, “By automatically generating and applying high-quality security patches, CodeMender allows developers to concentrate on building quality software.”
Over the last six months, CodeMender has already contributed 72 security patches to open-source projects, including some with as many as 4.5 million lines of code.
Technology Behind CodeMender
The AI agent relies on Google’s Gemini Deep Think models to identify root causes of vulnerabilities, debug them, and ensure the fixes do not introduce regressions. Additionally, it uses a large language model (LLM)-based critique tool to compare original and modified code, verify changes, and self-correct when necessary.
Google plans to gradually collaborate with maintainers of critical open-source projects, sharing CodeMender-generated patches and gathering feedback to enhance overall code security.
AI Vulnerability Reward Program
Alongside CodeMender, Google has launched an AI Vulnerability Reward Program (AI VRP). It allows security researchers to report AI-related issues, including prompt injections, jailbreaks, and misalignment, with rewards reaching up to $30,000. However, certain issues like guardrail bypasses, hallucinations, factual inaccuracies, and intellectual property conflicts are not eligible.
Commitment to AI Security
Previously, Google established a dedicated AI Red Team under its Secure AI Framework (SAIF). The second iteration of SAIF now focuses on agentic security risks, including data leaks and unintended AI actions, and implements controls to mitigate these risks.
Google emphasizes using AI to enhance cybersecurity, providing defenders with better tools to counter threats from cybercriminals, scammers, and state-sponsored attacks.
