Recently, the 360 AI Security Research Institute has published a report highlighting a significant shift in AI-driven vulnerability mining. The focus is moving away from merely demonstrating the capabilities of models and towards conducting engineering validation within real systems, ecosystems, and attack chains. The crux of future AI security contests will hinge on the capacity to navigate the entire vulnerability lifecycle—from discovery and explanation to verification, repair, and blocking—within authentic environments.

The report delineates two technical pathways for advancing this field. The first, termed the 'capability emergence route,' leverages the code comprehension prowess of large models. The second, known as the 'engineering practice route,' amalgamates expert insights with automated processes to enhance efficiency and accuracy.

Notably, the 360 vulnerability mining agent has made substantial contributions by uncovering 23 high-risk vulnerabilities within the OpenClaw ecosystem and 13 zero-day vulnerabilities on the Flowise platform. In total, it has amassed a repository of 3,432 vulnerabilities, with 105 of these confirmed by regulatory bodies. The report underscores the potential for vulnerabilities within agent ecosystems to disseminate through frameworks and toolchains, thereby posing systemic risks. Consequently, it advocates for the establishment of a comprehensive, full-chain governance system to mitigate these threats effectively.