VulnHarvest — AI-Guided Vulnerability Discovery Framework

Problem

Security teams lack open-source tooling to use LLMs for systematic vulnerability discovery in codebases. Mozilla internally proved AI can find 423 Firefox bugs in one month (including 15-year-old UAFs, sandbox escapes, race conditions) using Claude Mythos — but hasn't open-sourced the pipeline. Meanwhile, offense is getting cheaper (AI-assisted vulnerability scanning by attackers), and defenders need the same tooling.

Solution

Open-source agentic harness for AI-guided vulnerability discovery:

1. Hypothesis Generation — LLM analyzes code patterns, generates vulnerability hypotheses
2. PoC Creation — Automated proof-of-concept test generation per hypothesis
3. Verification — Execute PoCs in sandboxed environment, confirm exploitability
4. Deduplication — Match against known CVEs, filter false positives
5. Triage — Severity classification (CVSS-like scoring), report generation

Project-agnostic: bring your own codebase, your own model, your own CI.

Market

• TAM: $15B+ application security testing market (growing 20%+ YoY)
• Adjacent validated: Snyk ($8.5B valuation), Semgrep (OSS + commercial), CodeQL (GitHub/Microsoft)
• Gap: None of these use LLMs for hypothesis-driven discovery. They're pattern-matching or static analysis. VulnHarvest is the next generation.
• Mozilla proof point: 423 bugs in 1 month including bugs that survived decades of fuzzing — validates the approach at scale

Architecture

┌─────────────┐    ┌──────────────┐    ┌─────────────┐
│  Code Ingest │───▶│  Hypothesis  │───▶│  PoC Gen    │
│  (AST/CFG)   │    │  Generator   │    │  Engine     │
└─────────────┘    └──────────────┘    └─────────────┘
                                              │
┌─────────────┐    ┌──────────────┐    ┌──────▼──────┐
│  Reporter   │◀───│  Triage &    │◀───│  Sandbox    │
│  (SARIF)    │    │  Dedup       │    │  Executor   │
└─────────────┘    └──────────────┘    └─────────────┘

• TypeScript/Node.js CLI
• SARIF output for CI/CD integration
• Pluggable LLM backend (OpenAI, Anthropic, local models)
• Sandboxed execution (Docker-based)
• CVE database integration

Competitive Landscape

| Tool | Approach | LLM-Guided? | Open Source? | |------|----------|-------------|-------------| | Semgrep | Pattern matching | No | Yes | | CodeQL | Dataflow analysis | No | Partial | | Snyk Code | ML pattern detection | Partial | No | | Mozilla/Mythos | LLM hypothesis | Yes | No (internal) | | VulnHarvest | LLM hypothesis + PoC | Yes | Yes |

Verdict: BUILD

Rationale:

• Technical moat: Agentic harness with hypothesis→PoC→verify loop is novel in open source
• Market timing: Mozilla just proved the approach works; no open-source equivalent exists
• Brand fit: Extends phoenix-assistant security cluster (mcp-security-scanner, agent-security-scanner, etc.)
• Feasibility: MVP scope is achievable — hypothesis gen + PoC for common vulnerability classes (XSS, SQLi, path traversal, buffer overflow patterns)
• Converging signals: 3+ independent sources (Mozilla/Mythos 357 HN pts, jefftk.com 367 HN pts, Karpathy supply chain alert, Xeiaso 831 HN pts)

MVP Scope

1. Code ingestion (AST parsing for JS/TS/Python/C)
2. Hypothesis generation via LLM (configurable model)
3. PoC test generation for top 5 vulnerability classes
4. Basic sandbox execution
5. SARIF output
6. CLI interface: vulnharvest scan ./src --model claude-sonnet