AI Agents Hunt Vulnerabilities While Surveillance Debate Escalates

There's something quietly remarkable happening at the intersection of security and AI right now. GitHub Security Lab has been using large language models to audit open source repositories, and the results are staggering. Over two weeks, they found 22 separate vulnerabilities in Firefox-14 of them high-severity. But here's the thing that matters more than the raw numbers: the AI isn't just finding obscure edge cases. It's finding logic bugs that traditional security tools miss. Authorization bypasses. Information disclosure vulnerabilities. The kind of issues that require understanding what code is supposed to do, not just what it does.

This is worth paying attention to because it flips the script on AI in security. We've spent months worrying about AI-generated code introducing vulnerabilities. Now we're watching AI become a surprisingly effective security researcher. GitHub's framework is open source, so teams can run it on their own projects. The methodology is fascinating too-it starts with threat modelling, then generates vulnerability suggestions, then audits those suggestions with fresh context. That two-stage process matters. It's the difference between a tool that hallucinates and one that actually reasons.

The Surveillance Question Nobody's Really Answering

Meanwhile, the Anthropic-Pentagon standoff has exposed something deeper than a contract dispute. The government can legally purchase commercial data on Americans-location data, browsing history, social media activity. It can feed all of that into AI systems for analysis. And there's almost no law stopping it. That's not because the government is breaking rules. It's because the rules were written before AI could turn scattered data points into detailed profiles at scale. The Fourth Amendment predates the internet. FISA was written when surveillance meant wiretapping. AI changes what's legally possible without changing the laws that govern it. One law professor put it simply: "What AI can do is take a lot of information, none of which is by itself sensitive, and give the government powers it didn't have before."

The student data angle makes this even more urgent. A long-form piece on FERPA-the 1974 law meant to protect educational records-walks through how schools have become data collection machines. Learning management systems track every assignment, every wrong answer, how long students spend on each question. Proctoring software records faces, screens, keystrokes, eye movements. One breach (PowerSchool, 2024) exposed millions of K-12 students' records. Another (Illuminate, 2022) exposed NYC students' race, disability status, poverty indicators. The law doesn't protect any of this the way most parents think it does.

Building Better, Building Faster

On the practical side, there's something genuinely useful emerging for developers who are tired of boilerplate. A CLI tool called create-trpc-setup does what sounds simple but is genuinely time-saving: it automates the tedious setup of tRPC with Next.js. Detects your package manager, reads your tsconfig for path aliases, sets up the context, creates the API routes, patches your layout file. Removes an hour or two of copy-paste-and-debug that every developer does every time they start a new project. That's the kind of AI-adjacent tooling that matters-not replacing developers, but removing friction.

Web development is also seeing a reckoning on context files. A new paper from ETH Zurich challenges the industry practice of adding AGENTS.md files for AI coding assistants. The researchers found that LLM-generated context files often hurt more than they help. Better approach: omit them entirely, and limit human-written instructions to things the AI can't infer-specific tooling, custom build commands, that sort of thing. It's a small finding but it signals something important: we're learning which AI assistance patterns actually work, and which are just performative.