Google’s DeepMind division on Monday introduced a synthetic intelligence (AI)-powered agent referred to as CodeMender that routinely detects, patches, and rewrites weak code to forestall future exploits.
The efforts add to the corporate’s ongoing efforts to enhance AI-powered vulnerability discovery, similar to Huge Sleep and OSS-Fuzz.
DeepMind stated the AI agent is designed to be each reactive and proactive, by fixing new vulnerabilities as quickly as they’re noticed in addition to rewriting and securing present codebases with an intention to remove entire courses of vulnerabilities within the course of.
“By routinely creating and making use of high-quality safety patches, CodeMender’s AI-powered agent helps builders and maintainers concentrate on what they do greatest — constructing good software program,” DeepMind researchers Raluca Ada Popa and 4 Flynn stated.
“Over the previous six months that we have been constructing CodeMender, now we have already upstreamed 72 safety fixes to open supply initiatives, together with some as giant as 4.5 million strains of code.”
CodeMender, below the hood, leverages Google’s Gemini Deep Suppose fashions to debug, flag, and repair safety vulnerabilities by addressing the foundation reason behind the issue, and validate them to make sure that they do not set off any regressions.
The AI agent, Google added, additionally makes use of a giant language mannequin (LLM)-based critique software that highlights the variations between the unique and modified code so as to confirm that the proposed modifications don’t introduce regressions, and self-correct as required.
Google stated it additionally intends to slowly attain out to maintainers of vital open-source initiatives with CodeMender-generated patches, and solicit their suggestions, in order that the software can be utilized to maintain codebases safe.
The event comes as the corporate stated it is instituting an AI Vulnerability Reward Program (AI VRP) to report AI-related points in its merchandise, similar to immediate injections, jailbreaks, and misalignment, and earn rewards that go as excessive as $30,000.
In June 2025, Anthropic revealed that fashions from varied builders resorted to malicious insider behaviors when that was the one technique to keep away from alternative or obtain their targets, and that LLM fashions “misbehaved much less when it said it was in testing and misbehaved extra when it said the state of affairs was actual.”
That stated, policy-violating content material era, guardrail bypasses, hallucinations, factual inaccuracies, system immediate extraction, and mental property points don’t fall below the ambit of the AI VRP.
Google, which beforehand arrange a devoted AI Pink Staff to deal with threats to AI programs as a part of its Safe AI Framework (SAIF), has additionally launched a second iteration of the framework to concentrate on agentic safety dangers like information disclosure and unintended actions, and the required controls to mitigate them.
The corporate additional famous that it is dedicated to utilizing AI to boost safety and security, and use the expertise to offer defenders a bonus and counter the rising menace from cybercriminals, scammers, and state-backed attackers.
