AI has come to a point where a good prompt can get the agent to find not only potential flaws in the code, but exact steps to exploit one or more vulnerabilities, eventually combining them together.

It is a concern but there is no reason to panic, we just have to change how we treat security in software development to address it. This post will explain what I will do when developing my projects, including Cowboy, and also what I will not do.

I have started receiving AI generated reports of vulnerabilities in private. I am thankful for them, as there were a couple good ones. But there were also reports with hallucinations (non-existent functions or the agent inventing text in RFCs), reports about internal/undocumented functions and reports misunderstanding the security model of the projects.

This has led me to set up an AGENTS.md with instructions specifically around analysing the projects to reduce the noise. This also prompted clarifying the security model in Cowboy's user guide. Unfortunately, while I described that model many times on mailing lists and other venues, it was never formalised. This is now fixed.

A problem came up when I started fixing the issues described in the reports. The Erlang CNA under the Erlang Foundation published CVEs as soon as I pushed the commits (to run CI). I didn't describe the vulnerability in the commits so this was a surprise to me. Their rationale is that since you can use AI to scan commit logs to find vulnerabilities, they must publish the CVE. The problem with that is that it costs an attacker money to scan, and zero to access the CVE.

The expectation is to keep fixes private until release (security by obscurity coming back with a vengeance). The problem with doing that is that attackers can scan repositories anyway, so it doesn't matter much if the commits with fixes are public or not, in both cases it costs a few dollars for the attacker to find vulnerabilities to exploit. As I will explain later in this post, it is not expensive at all to do so, all that matters is to have a good prompt.

Publishing CVEs when commits are pushed is also a problem for users. Some users, myself included through RabbitMQ, have cadenced releases and requirements around handling of CVEs. Publishing a CVE early means attackers now have a zero dollar method to finding vulnerabilities they can use against millions of installations, before users even have a release to upgrade to. Not good.

Another problem I ran into, is that some of those low quality reports made it into CVEs anyway, despite my pushing back. I would just recommend to check the CVEs, see if you are even remotely affected, and if not add them to the ignore list. I won't fight back bad CVEs.

Considering this experience, I will continue to happily process reports and fix what must be fixed, but this is not a good long term approach. As I mentioned earlier, an attacker can use AI to scan an open source project for vulnerabilities. That means the project has to both produce releases free of vulnerabilities and provide users the means to avoid vulnerabilities when using the project.

Producing releases free of vulnerabilities means integrating AI scans during development. This is a work in progress for Cowboy and friends and it will improve over time and eventually become automated in CI. The Cowboy 2.16 release is the first Cowboy release to have some AI scans for vulnerabilities applied during development. That doesn't make Cowboy 2.16 vulnerability-free, as this is still a work in progress.

Providing users the means to avoid vulnerabilities means providing users with AI prompts they can run against their own applications to find any relevant issues in their project. The Cowboy 2.16 release is the first Cowboy release to provide a security checklist that users can give to their AI agent to scan vulnerabilities in their own application.

This security checklist works just as well with cheap models as it does with more expensive ones. Cheap models such as Grok Code Fast can find the same issues as Claude Opus 4.7, the only difference is the cost and the fact that Grok Code Fast stops earlier than Claude Opus 4.7. But you can ask Grok Code Fast to "find more" and you will eventually end up with the same exhaustive list at a fraction of the cost.

Both cheap and expensive models will hallucinate a little even when using this security checklist, you need to push back when you think the AI agent is wrong to be certain it got it wrong. Typically the agent will correct itself when pushed back.

An equivalent security checklist will be added to Gun in a future release.

As usual, feedback is appreciated, and issues or questions should be sent via Github tickets or discussions. We also have a Discord server. Join Erlang OSS Discord now!