Claude Found 500+ Zero-Day Vulnerabilities in Open Source Code

Anthropic has published results from its AI-powered bug bounty program, MAD Bugs, and the numbers are striking. Claude identified over 500 zero-day vulnerabilities in open source projects, autonomously, without a human triggering each scan.

The program represents what is now called autonomous security testing. Claude was tasked with scanning well-known open codebases not to find known flaws, but to discover new, unpatched holes. The results exceeded the team's expectations.

Zero-day vulnerabilities are security flaws that are not publicly known and therefore unpatched. They are highly sought after by both criminal actors and state-sponsored groups, and command premium prices on dark markets. An AI model finding 500+ of them in a single program is a clear signal that the security industry is undergoing a structural shift.

For CIOs and CISOs, this means AI is no longer a support tool in security work. It is becoming the primary engine. The ability to run continuous, autonomous vulnerability scanning will likely be a necessity, not a competitive advantage, within a few years.

Anthropic says findings will be reported to the responsible project owners. The program is part of the company's broader effort to demonstrate that AI can be used to strengthen digital infrastructure, not just challenge it.