Here to share more about the design of our vibe-only code fuzzer and how it found it first 0day. Put the "LUCK" factor aside, our fuzzer uses the same method as the legendary Google JS-fuzzer, with a some advantage provided by AI to perform various crucial task during fuzzing workflow:
- Coverage improvement;
- Code-snippet extraction;
- Mutation-plugin development;
- Minimization and 0x41-violation hunting.

You may wonder why JS-fuzzer; Fuzzilli seems more popular and famous. That is rooted in our experience with vibe coding (from Smart Tab to Cursor, and now the Claude Code era). To us, AI is still terrible at large and complex code bases, so Fuzzilli is not something we should vibe; on the contrary, JS-fuzzer methodology is more AI-approachable. It takes existing test cases from a large corpus set, then inserts several random snippets from the DB (also extracted from the corpus). Finally, it tweaks the code using several mutators, each focused on a specific pattern.

That design is just very AI friendly, as it can easily create code snippets and add to the database without relying on the corpus. We also let it read coverage information to generate and test snippet for certain part of the compiler source code.
For the mutation part, since each mutation-plugin < 1,000 LOC AI just easily one-shotted per request. For complex one it took several round of vibe-test-check-vibe again until finish.
The only remaining part need some "babysitting" is the engine that connects those parts, quite standard like any other coverage guide fuzzer: corpus management, coverage measure, reprl execution engine ...

But at that point we only have a fully functioning fuzzer; to make it capable of finding 0-day, we need the best set of code snippets and mutators. Inspired by how people solve ARC-AGI, we build our snippet and mutator plugins using evolutionary test-time compute. Simply said, we let AI generate a huge population of snippets and mutators, then use code coverage and similarity scoring to rank, reduce, breed, and pool them until we have the finest set. We use that to fuzz until the predefined energy budget runs out, then continue with another generation—all also managed by an AI - still need lot of babysitting but we quite satisfied with current model capabilities. This part still not fully autonomous as for now, we still need to review the mutator and manually “blacklist” bad behaviour/hacky way AI try to circumvent...

After several days, the fuzzer got some crashes in both Firefox and V8; one turned out to be an exploitable and has been submitted to Mozilla to patch. We are currently enhancing the autonomous level of whole engine and experience the ability to turn a crash into 0x41-violation autonomously ( seems extremely hard for now ) And ultimately we hope( but wish not) it possible let AI develop this 0day into fully RCE exploit.
Js-fuzzer: chromium.googlesource.com/v8/v8/+/master…
ARC-AGI solution we refered: x.com/_eric_pang_/st…