Sunday QuickBite: The Hidden Cost of AI Bug Hunting
Dear QF Community,
The current disagreement between the US government and two leading US frontier AI labs over cybersecurity restrictions and the controlled release of advanced models has reopened questions that go beyond sovereign AI.
One of the most immediate concerns is what happens when advanced systems uncover large numbers of vulnerabilities in open-source software that organisations have relied upon for years.
Jessica Lyons, writing in The Register (here), describes an uncomfortable situation in which organisations using advanced cyber models are discovering vulnerabilities in code that has been deployed, scanned, and relied upon for years.
Indeed, finding a flaw in a company’s own codebase is one thing. Handling a flaw buried in a widely used dependency is another. This is because modern software stacks pull together libraries and packages from dozens, sometimes hundreds, of projects, many maintained by small teams, volunteers, or people who may no longer be actively working on the code.
Furthermore, once a model flags a possible vulnerability, somebody still has to establish that it is genuine, identify the affected versions, contact the relevant maintainers, prepare and test a patch, manage the disclosure, and help downstream users update before the flaw becomes widely exploitable. None of that work disappears because AI has made the initial discovery faster.
Chainguard’s Athena coalition says it has already processed more than 20,000 findings and developed over 2,000 patches across 500 open-source projects. Its role is not simply to collect reports. It brings related findings together, removes duplicates, helps projects address broader classes of weaknesses, and reduces the likelihood that a maintainer receives hundreds of disconnected reports about the same underlying issue. The Linux Foundation’s Akrites initiative reflects the same concern, with an emphasis on coordinated disclosure and shared incident response for open-source maintainers.
The Asymmetry of Access
Much of the discussion around AI and cybersecurity has focused on the prospect of attackers gaining better tools to identify and exploit weaknesses. That risk is real, but there is also a less discussed problem on the defensive side. Advanced models may uncover vulnerabilities faster than open-source projects can verify them, prepare patches, release updates, and help users adopt those fixes.
This is because vulnerability discovery and vulnerability remediation are very different kinds of work. Running a model across a codebase may become cheap and repeatable, while reviewing a finding, establishing whether it is genuine, identifying the affected versions, testing a patch, managing disclosure, and supporting downstream users still depends on people. Many open-source projects are maintained by small teams, volunteers, or individuals with little funding and no spare capacity for a sudden increase in security reports.
For that reason, the argument over access to frontier cyber models is more complicated than it first appears. Tighter controls may keep the most capable systems away from some malicious users, but they also place powerful defensive tools inside a small group of companies and governments. Broader access could give more security teams and maintainers the ability to inspect the software they rely on, while also expanding the number of people able to use the same capabilities for harmful purposes.
The people caught in the middle are often the maintainers of open-source projects. They may be asked to absorb a growing volume of vulnerability reports, patch requests, and disclosure obligations without the staff, funding, or institutional support needed to manage them. Open-source software underpins much of the internet, finance, healthcare, research, and public services, so this is not a niche concern for software developers alone.
If AI sharply lowers the cost of finding flaws while the cost of fixing them changes very little, the pressure will fall most heavily on the people and projects least equipped to carry it. The important work will be building the funding, coordination, disclosure processes, and practical support that allow vulnerability reports to become safe and usable software updates.
Live Quantum Programming with Divi by Qoro Quantum
We are pleased to announce that Q-Activate member Qoro Quantum will lead a live tutorial demo for the QF community on Tuesday 30 June at 6pm CEST. The session will introduce Divi (https://docs.qoroquantum.net/divi), Qoro Quantum’s open-source Python toolkit for building, executing, and managing quantum programs.
As early quantum hardware becomes more accessible, programming quantum computers involves far more than writing circuits in the way one might write a conventional software application. Many useful workflows combine classical optimisation with repeated quantum execution, measurement, noise-aware post-processing, and deployment across different backends. Divi is designed to make that work more manageable by providing higher-level tools for variational quantum algorithms, combinatorial optimisation, quantum chemistry, and Hamiltonian simulation, alongside support for parallel execution, error mitigation, checkpointing, and multiple backends.
The goal is to reduce some of the operational overhead that comes with quantum–classical workflows, so that users can spend more of their time on the scientific or computational problem they want to investigate. This is particularly useful for researchers and developers who want to experiment across different quantum platforms without having to rebuild the surrounding workflow each time.
How to Attend
You can watch the tutorial live via:
Wishing you all a wonderful week ahead.
Quantum Formalism (QF) team


