OpenAI launches preview of AI vulnerability scanner Codex Security
While Claude already finds over 100 vulnerabilities in Firefox, OpenAI announces Codex Security, an AI vulnerability scanner.
(Image: Camilo Concha / Shutterstock.com)
Last week, Anthropic reported successes of its AI vulnerability scanner based on Claude Opus 4.6, stating it had discovered more than 100 security vulnerabilities in Firefox. OpenAI is not letting this go unchallenged. The AI for vulnerability searching, previously known as “Aardvark” and accessible to a limited group as a private beta version since last year, is now available as a research preview version called “Codex Security”.
This was announced by OpenAI on its website. The company describes the AI vulnerability scanner as an “Application Security Agent.” It is designed to capture extensive context from projects and identify vulnerabilities that other tools cannot detect. The identified vulnerabilities are to be accompanied by suggested fixes to improve system security and spare users the noise of insignificant errors.
Assessing Vulnerabilities
Context is crucial for classifying real threats posed by vulnerabilities, explains OpenAI. However, most AI tools provide findings of low importance or even false positives, costing security teams significant time in classification. Daniel Stenberg, developer of the curl project, can attest to this: Initially, due to numerous “knight-errant” messages lacking substance, he completely scrapped the bug bounty program on HackerOne. At the end of February, however, he returned to curl on HackerOne – the bug management became unmanageable, and important functions were missing without a platform like HackerOne.
Regarding the functionality of the AI vulnerability scanner, OpenAI states that the system first builds context, automatically recognizes the security-relevant structure, and derives a threat model from it. This model is based on what the system does, whom it trusts, and where its greatest attack surfaces lie. This can then be customized. Using this information, the AI searches for vulnerabilities and estimates the actual threat level in practice. Where possible, it also initiates tests of the findings in sandbox environments. This reduces false alarms. Additionally, it generates proof-of-concept codes that assist developers in classification and correction. Codex also suggests fixes for identified issues.
Videos by heise
Codex Security is therefore intended to deliver better results and widen the bottleneck in the review process, which arises from accelerated development, for instance, with the help of AI. In initial tests, the AI was able to uncover several relevant security vulnerabilities, OpenAI explains. OpenAI has analyzed the sources of several open-source projects with Codex Security. At the end of its announcement, the company listed 15 vulnerabilities with their CVE entries that the Codex Security AI had discovered. Many of these are classified with a CVSS risk rating of “medium,” but some were also categorized as high-risk. Some open-source project contributors have since gained access to “Codex for OSS,” with free access to ChatGPT Pro and Plus, Code Review, and Codex Security. OpenAI intends to expand this program to more open-source projects.
(dmk)
