Shadow patching: using AI to discover undisclosed security fixes in open-source

Shadow or silent patching- fixing security vulnerabilities without disclosure—presents a critical blind spot in software supply chain security. With 1 in 6 vulnerabilities patched silently, traditional security tools relying on public vulnerability databases like CVE or NVD fall short, leaving organizations exposed to unknown risks. This presentation introduces an entirely novel research that harnesses the power of Large Language Models (LLMs) to detect these hidden vulnerabilities in open-source software.

We'll show how our novel dual-LLM architecture analyses public changelog data to identify and classify silently patched vulnerabilities. Through a live demo, we'll show how this AI-driven method has allowed us to uncover hundreds of previously unknown vulnerabilities in major open-source projects, with 20% classified as critical or high severity.

Key points:

• The threat landscape of silent patching and its impact on supply chain security
• Detailed breakdown of our dual-LLM model architecture and methodology
• Real-world findings and their implications for the security community
• The crucial role of Human-in-the-Loop (HITL) verification in the AI-driven process
• Benchmarking results against traditional security research methods
• Limitations of the current approach and future improvements

Dr. Frederick Ryckbosch is the principal AI engineer and researcher for Aikido Security. Prior to joining Aikido, he was the head of AI at New Relic and also the co-founder and CTO of CoScale, a provider of full stack monitoring for microservices, which was acquired by New Relic in 2018. He holds a Ph.D. in Computer Science from Ghent University in Belgium and has a deep technical knowledge in both software engineering and AI.