Unpatched.ai: Who runs the vulnerability discovery platform?

Infosec experts weigh in

A deeper dive into Unpatched.ai yielded few results, as well. The Unpatched.ai domain was registered through Namecheap in September, according to WhoIs records. Additional information about the owner, however, is shielded by a domain privacy service located in Reykjavik, Iceland.

While Adam Barnett, lead software engineer at Rapid7, said there is little information beyond what Unpatched.ai provides on the public website, he did highlight a Reddit user called "Fit_Tie_9430" who claimed to represent the platform. Last week, the user posted a link to the Jan. 29 post on Unpatched.ai's X account.

"I'd say it's likely that the Reddit user is indeed affiliated with Unpatched.ai, since that user was posting specific details of this week's [January Patch Tuesday] Access zero days a month ago (e.g., a recommendation to block specific attachment types, which is echoed in the advisories published this week," Barnett said in an email. "Everything the Reddit user has posted -- which again, isn't much --strikes me as well-written, both stylistically and in terms of understanding the technical/organizational context of working with Microsoft security issues."

In a Reddit post from December, Fit_Tie_9430 noted that much of Unpatched.ai's vulnerability discovery and analysis processes is automated. The user also provided links to a now-private YouTube channel that apparently demonstrated exploits against reported Microsoft Access vulnerabilities that affect Microsoft 365.

In addition to the three January patch Tuesday flaws Microsoft credited to Unpatched.ai, Barnett said there is one previous Microsoft advisory linked to Unpatched.ai regarding a vulnerabiity tracked as CVE-2024-49142. Barnett added that CVE-2024-49142 was originally published in December's Patch Tuesday without an acknowledgement, but Unpatched.ai was credited a couple days later. CVE-2024-49142 also affects Microsoft Access.

"The favicon for the unpatched.ai website is an emoticon :), which is an obvious riff on the Windows blue screen of death, which shares the same colours/font but with an unhappy emoticon : (. Again, this is a nice touch, but I still don't know who's behind it. It could be just about anyone who has time, resources, and skills," Barnett said.

Satnam Narang, senior staff research engineer at Tenable, also said little is known about Unpatched.ai as a service or a platform. Narang added that its now-bare X account follows only a small number of infosec professionals. "It is unclear if the service is still in a closed-door phase and will eventually provide more insights about its leadership and team, or who may be backing the service," Narang said in an email.

Alon Yamin, co-founder and CEO of Copyleaks, told Informa TechTarget that it was only a matter of time before an AI-powered vulnerability reporting platform emerged to help address an influx of vulnerabilities.

"On the one hand, the ability to proactively identify any potential vulnerabilities in code could be a game-changer for preventing cyberattacks. Early detection and rapid patching are critical to any business in today's threat environment. However, concerns about misuse are valid. As with any development in generative AI, it's crucial that Unpatched.ai is deployed carefully, responsibly, and ethically, with clear safeguards in place to prevent attackers from exploiting the vulnerabilities it identifies," Yamin said in an email.

AI-driven vulnerability discovery is a growing goal within the infosec industry, though few breakthroughs have been publicly announced. In November, Google claimed to be the first to find a zero-day vulnerability with AI technology. The company said Big Sleep, an AI-powered agent developed by Google Project Zero and Google DeepMind, uncovered a buffer stack underflow flaw in the SQLite open source database engine.

Arielle Waldman is a news writer for Informa TechTarget covering enterprise security.