We Found Zero Low-Severity Bugs in 165 AI Code Reports. Zero
Posted5 months agoActive4 months ago
shamans.devTechstory
calmpositive
Debate
20/100
Artificial IntelligenceCode SecurityAI Research
Key topics
Artificial Intelligence
Code Security
AI Research
Researchers found zero low-severity bugs in 165 AI code reports, sparking discussion on AI code security.
Snapshot generated from the HN discussion
Discussion Activity
Light discussionFirst comment
2h
Peak period
4
4-6h
Avg / period
2
Comment distribution14 data points
Loading chart...
Based on 14 loaded comments
Key moments
- 01Story posted
Aug 20, 2025 at 12:04 PM EDT
5 months ago
Step 01 - 02First comment
Aug 20, 2025 at 2:30 PM EDT
2h after posting
Step 02 - 03Peak activity
4 comments in 4-6h
Hottest window of the conversation
Step 03 - 04Latest activity
Aug 21, 2025 at 7:12 PM EDT
4 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
ID: 44963161Type: storyLast synced: 11/20/2025, 8:00:11 PM
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
Based on the churn I have fixing security vulnerabilities reported by Snyk and Trivy, I have a feeling that issues have a tendency to be labeled mostly as HIGH or CRITICAL when they are assigned a CVE, for better or worse.
https://nvd.nist.gov/general/nvd-dashboard
Our distribution (71% High, 18% Critical) is definitely skewed compared to normal CVEs. Part of this is selection bias: nobody reports when AI generates boring secure code. But even accounting for that, the pattern is real: AI seems to either nail security or fail spectacularly. Very few "medium" mistakes.
The key difference from your Snyk alerts: these aren't dependency updates or theoretical vulnerabilities. They're actual logic flaws:
- Missing auth checks - SQL injections - hardcoded secrets
You know, The stuff that makes you go "how did this pass code review?"
This is ongoing research, and hopefully we'll be in a position to elaborate better conclusions soon.
Well at least they're honest...
Jokes apart, I'd rather admit we are working with incomplete data than pretend otherwise. We are probably seeing 5-10% of what's actually happening out there. Most AI code bugs die quietly in projects that never see production. And it is perhaps better that way.
[not]Fun fact: A colleague just told me how a rogue claude agent ran `rm -rf ~/` in a background process earlier today. It might become #166 in our report.
Makes you look guilty. Which perhaps you are.
The difference is you can at least shame your colleagues into caring about security and coding standards during code review. With AI, it's like it learned from every tutorial that said "we'll skip input validation to keep this example simple" and took that as strict rule.
That said, even with survivorship bias, there's a pattern.
When humans write bad code, we see the full spectrum, form typos to total meltdowns. With AI, the failures cluster around specific security fundamentals:
- Input validation - Auth checks - Rate limiting
I've seen no AI typo, have you?
Does it mean AI learned to code from tutorials that skip the boring security chapters?... think about it.
So yes, we are definitely seeing survivor bias in severity reporting. But the "types" of survivors tell us something important about what AI consistently misses. The low-severity bugs probably exist, but perhaps not making headlines.
The real question: if this is just the visible part of the iceberg, what's underneath?
"Did you hit your wife?"
"I haven't murdered anybody."
"Murder?? Nobody mentioned murder, Mr Fieldman."
Anyway, I see numbers but no message.