The test just changed: AI found the bug, humans fixed it in 6 hours, and nobody's talking about what happens when AI finds it first and doesn't tell you.
The Summary
- Wiz Research used AI models to find a critical remote code execution vulnerability in GitHub's internal git infrastructure that could have exposed millions of public and private repositories
- GitHub's security team validated, fixed, and deployed a patch in under 6 hours — 40 minutes to confirm severity, the rest to ship the fix
- First major demonstration of AI-assisted vulnerability discovery at scale, raising the stakes for both attackers and defenders in the agent economy
The Signal
This is the opening shot in a new arms race. Wiz Research deployed AI models to probe GitHub's infrastructure and surfaced a remote code execution vulnerability that could have given attackers access to the entire constellation of code repositories on the platform. Public, private, enterprise. The whole stack. GitHub's CISO Alexis Wales says they confirmed severity in 40 minutes and had a fix deployed in under six hours total.
That timeline matters less than the method. AI found this vulnerability. Not a researcher grinding through code for weeks. Not a lucky accident during a routine audit. An AI model, trained to spot weaknesses, pointed at one of the most critical code hosting platforms on Earth.
"This was a critical issue that required immediate action."
Here's what nobody's saying out loud yet: if Wiz can do this as a white hat security firm, so can anyone else with similar models. The asymmetry is brutal. One AI-assisted researcher can now probe infrastructure that would have required a team of specialists and months of work. The attack surface didn't grow. The ability to map it just got exponentially faster.
GitHub's six-hour response is legitimately impressive. But it assumes you know about the vulnerability. The new game is: what happens when an AI finds a zero-day, and the person running that AI isn't filing a bug bounty report? What happens when 100 companies get probed simultaneously by AI models looking for the same class of vulnerability, and only one of them has a security team that can move that fast?
Key implications:
- Every major platform is now vulnerable to AI-assisted vulnerability discovery at scale
- Response time becomes the only moat, security teams need agent-level speed to match agent-level attacks
- The bug bounty model assumes good faith disclosure, AI removes that assumption
The GitHub fix shows human defenders can still move fast when they have to. But the clock is ticking differently now. AI doesn't need coffee breaks. It doesn't need to explain its work to managers. It just finds the weakness and reports back. Or doesn't report back, depending on who's paying for the compute.
The Implication
If you're running infrastructure that matters, the question is no longer whether you have good security practices. It's whether your security team can operate at agent speed. GitHub had the resources and the processes to move in under six hours. Most companies don't. The gap between discovery and exploitation just collapsed to the time it takes an AI to write an exploit and someone to run it.
Watch for two things: first, a wave of AI-assisted vulnerability disclosures as every security firm spins up similar models. Second, a sharp increase in zero-days being exploited in the wild before anyone files a report. The age of patient attackers is over. The age of AI-assisted offense just started, and defense needs to catch up yesterday.