AI Agent Earns $1K for 21 Zero-Days in FFmpeg; Chrome Patches Record 429 Bugs

A security startup has demonstrated the power of autonomous AI by uncovering 21 zero-day vulnerabilities in FFmpeg, the widely used open-source media library that powers nearly everything handling video. The company, depthfirst, completed the discovery run for roughly $1,000 in compute costs. Shockingly, some of these flaws had remained hidden in the codebase for over two decades. Just days after that breakthrough, Google released a major update for Chrome, patching a record 429 security bugs in a single sweep.

The AI agent operated independently, scanning and probing FFmpeg’s vast code without human intervention. This achievement highlights a growing trend: automated AI security testing can now outperform traditional manual auditing, both in speed and cost. The bugs found range from memory corruption issues to logic errors, each representing a potential entry point for attackers. Depthfirst’s success underscores how AI-driven vulnerability research is reshaping the cybersecurity landscape, making it cheaper and faster to find flaws before malicious actors do.

Meanwhile, Google’s latest Chrome update addresses an unprecedented number of vulnerabilities. The 429 patches include fixes for critical, high, and medium severity issues, covering everything from use-after-free errors to type confusion bugs. This record-breaking release reflects the browser’s complexity and the relentless pressure on developers to secure a platform used by billions. Together, these events signal a new era where AI agents and large-scale patching cycles become the norm, pushing the boundaries of what’s possible in software security.