Google’s DeepMind division on Monday introduced a man-made intelligence (AI)-powered agent known as CodeMender that robotically detects, patches, and rewrites weak code to forestall future exploits.
The efforts add to the corporate’s ongoing efforts to enhance AI-powered vulnerability discovery, corresponding to Massive Sleep and OSS-Fuzz.
DeepMind stated the AI agent is designed to be each reactive and proactive, by fixing new vulnerabilities as quickly as they’re noticed in addition to rewriting and securing present codebases with an goal to get rid of entire lessons of vulnerabilities within the course of.
“By robotically creating and making use of high-quality security patches, CodeMender’s AI-powered agent helps builders and maintainers deal with what they do greatest — constructing good software program,” DeepMind researchers Raluca Ada Popa and 4 Flynn stated.
“Over the previous six months that we have been constructing CodeMender, we’ve already upstreamed 72 security fixes to open supply initiatives, together with some as massive as 4.5 million traces of code.”
CodeMender, underneath the hood, leverages Google’s Gemini Deep Suppose fashions to debug, flag, and repair security vulnerabilities by addressing the foundation reason behind the issue, and validate them to make sure that they do not set off any regressions.
The AI agent, Google added, additionally makes use of a giant language mannequin (LLM)-based critique instrument that highlights the variations between the unique and modified code in an effort to confirm that the proposed modifications don’t introduce regressions, and self-correct as required.
Google stated it additionally meant to slowly attain out to maintainers of crucial open-source initiatives with CodeMender-generated patches, and solicit their suggestions, in order that the instrument can be utilized to maintain codebases safe.
The event comes as the corporate stated it is instituting an AI Vulnerability Reward Program (AI VRP) to report AI-related points in its merchandise, corresponding to immediate injections, jailbreaks, and misalignment, and earn rewards that go as excessive as $30,000.
In June 2025, Anthropic revealed that fashions from varied builders resorted to malicious insider behaviors when that was the one approach to keep away from substitute or obtain their objectives, and that LLM fashions “misbehaved much less when it acknowledged it was in testing and misbehaved extra when it acknowledged the scenario was actual.”
That stated, policy-violating content material era, guardrail bypasses, hallucinations, factual inaccuracies, system immediate extraction, and mental property points don’t fall underneath the ambit of the AI VRP.
Google, which beforehand arrange a devoted AI Crimson Staff to sort out threats to AI techniques as a part of its Safe AI Framework (SAIF), has additionally launched a second iteration of the framework to deal with agentic security dangers like knowledge disclosure and unintended actions, and the required controls to mitigate them.
The corporate additional famous that it is dedicated to utilizing AI to reinforce security and security, and use the know-how to offer defenders a bonus and counter the rising menace from cybercriminals, scammers, and state-backed attackers.
