AISLE's autonomous analyzer found all 12 CVEs in the January 2026 coordinated release of OpenSSL, the open-source cryptographic library that underpins a substantial proportion of the world’s secure communications. Some of these vulnerabilities had persisted in OpenSSL code for decades, evading the notice of thousands of security researchers.
Finding a genuine security flaw in OpenSSL is extraordinarily difficult. Even a single accepted vulnerability represents a rare achievement. The library's maturity and the community's vigilance make new discoveries exceptionally uncommon. This makes the January 2026 release an important milestone for autonomous security systems. As Tomáš Mráz, CTO of the OpenSSL Foundation, says,
“One of the most important sources of the security of the OpenSSL Library and open source projects overall is independent research. This release is fixing 12 security issues, all disclosed to us by AISLE. We appreciate the high quality of the reports and their constructive collaboration with us throughout the remediation.”
In this article, we’ll give an overview of our discoveries and explain why we think this is a watershed moment for AI-powered software security.
The AISLE Research Team started hunting for OpenSSL vulnerabilities with our autonomous analyzer in August 2025. You can read about the three discoveries we made in Q3 of 2025 here. All of our discoveries were reported through responsible disclosure and resolved through coordinated releases with the OpenSSL project.
AISLE’s analyzer also recommended fixes which were incorporated directly into OpenSSL for 5 of the 12 CVEs.
In addition to the 12 CVEs, 6 findings were never assigned a designation. In each case, AISLE detected the issue, reported it to the maintainers, and the fix was merged before the vulnerable code ever appeared in a release.
OpenSSL represents one of the most deployed, battle-tested, and carefully maintained open-source projects in existence. The fact that 12 previously unknown vulnerabilities could still be found there, including issues dating back to 1998, suggests that manual review faces significant limits, even in mature, heavily audited codebases.
Human reviewers are constrained by time, attention, and the sheer volume of code in modern systems. Traditional static analysis catches certain bug classes but struggles with complex logic errors and timing-dependent issues. By contrast, autonomous AI-driven analysis operates at a different scale. It can examine code paths and edge cases that would take human reviewers months to cover, and it runs continuously rather than periodically.
This doesn't mean that AI can replace human expertise. The OpenSSL maintainers' deep knowledge of the codebase was essential for validating findings and developing robust fixes. But it does change the SLA of security. When autonomous discovery is paired with responsible disclosure, it collapses the time-to-remediation for the entire ecosystem.
The 12 OpenSSL vulnerabilities we identified, spanning 8+ subsystems from CMS to QUIC to post-quantum signatures, represent a milestone in our (admittedly ambitious) mission: moving from reactive patching to securing the software foundation that modern civilization depends on.
From the moment our system flagged these anomalies, we approached this as a partnership with the OpenSSL community. We submitted detailed technical reports through their coordinated security reporting process, including complete reproduction steps, root cause analysis, and concrete patch proposals. In each case, our proposed fixes either informed or were directly adopted by the OpenSSL team.
As Matt Caswell, Executive Director of the OpenSSL Foundation, said, “Keeping widely deployed cryptography secure requires tight coordination between maintainers and researchers. We appreciate AISLE's responsible disclosures and the quality of their engagement across these issues."
The OpenSSL team's responsiveness was exceptional. Under the leadership of Tomáš Mráz, the Chief Technical Officer (CTO) at the OpenSSL Foundation, the maintainers engaged technically at every stage: validating findings, refining patches, coordinating releases across multiple branches, and synchronizing with downstream distributions.
For questions about AISLE's autonomous analyzer, reach out to us at [email protected].
Our appreciation goes to Tomáš Mráz, Matt Caswell, Neil Horman, and the OpenSSL team for their collaboration throughout this process. AISLE researchers contributing to these discoveries include Stanislav Fort, Petr Šimeček, Tomas Dulka, and Luigino Camastra.