AISLE’s autonomous analyzer found all CVEs in the January OpenSSL release

Original Article ↗ Hacker News Discussion ↗

Reaction to AISLE’s OpenSSL Findings

  • Many commenters are impressed that an automated analyzer surfaced 12/12 CVEs in a heavily audited project, especially with detailed reports and patches.
  • Others are skeptical: the blog gives little detail on how the system works, the site was intermittently down, and there’s concern this could be another source of AI-generated noise like the curl bug-bounty spam.
  • Several people want visibility into false-positive rates and human effort required to triage results, noting that current AI-generated security reports are often very low quality but still expensive to review.

OpenSSL Codebase Critique

  • Strong consensus that OpenSSL’s code is “hostile”: old, heavily #ifdef’d C with custom allocators, deep call stacks, and accreted features from decades of work.
  • Its CI is described as flaky and sometimes ignored, letting known crashes ship.
  • This complexity is seen as a key reason vulnerabilities keep appearing and are hard to find manually.
  • Some argue OpenSSL’s dominance reflects bad incentives (tragedy of the commons, certification/FIPS requirements) rather than technical merit.

Alternatives and Migration

  • Multiple commenters recommend alternatives: BoringSSL, LibreSSL, AWS’s s2n and aws-lc, wolfSSL, libsodium, formally verified crypto (HACL*/EverCrypt), and newer stacks like rustls/ring or ocaml-tls.
  • There is frustration that large distros have not moved away from OpenSSL despite Heartbleed and ongoing issues.

AI for Security vs AI for Coding

  • Several participants are bearish on AI as a primary code author but bullish on AI tools for auditing and vulnerability discovery.
  • Others claim AI already creates “working” software at industry-typical quality; critics respond that productivity gains are offset by integration and verification overhead.
  • Dual-use is a big worry: if AI can help defenders find bugs, attackers can also use it to mine abandonware and long-tail services at scale.

Ecosystem & Patch Logistics

  • Commenters highlight systemic problems: huge amounts of unmaintained software, static linking, container sprawl, and slow distro backports make timely patching difficult.
  • Even with better discovery, propagating fixes across distros, vendors, and users is seen as a major unsolved challenge.

Trust, Marketing, and Openness

  • Some speculate about perverse incentives (e.g., buying zero-days and attributing them to AI, or training on undisclosed exploits) but admit there’s no evidence of this.
  • Others criticize the closed SaaS, demo-gated nature of the tool; they’d prefer reproducible, open methods.