May 21, 2026
Bug hunt or AI hype fight?
All the bugs they found
Tiny coding project hit with 20+ flaws, and the comments went feral over AI hype
TLDR: An AI-assisted review found 20-plus security problems in a small tool meant to safely run outside code, including a few scary isolation failures. The comments quickly split between people calling it a great proof of AI’s usefulness and people mocking the hype, the safety limits, and the dramatic framing.
A small personal coding project somehow delivered big main-character energy after its creator revealed that artificial intelligence tools found more than 20 security problems hiding inside it. The project was meant to safely run outside code in a locked-down box, but a few of the bugs reportedly let one program peek into another program’s private stuff—which is exactly the kind of sentence that makes comment sections sit up straight. The post itself is a detailed, nerdy autopsy, but the real fireworks were in the crowd reaction: some readers were impressed that a relatively simple side project could be stress-tested so hard, while others immediately turned the whole thing into a debate about whether AI security tools are the future or just glorified hype machines.
And oh, the shade. One camp praised the write-up as the rare “show your work” example, with clear explanations, proof, and repeatable results. Another camp rolled its eyes at the bold “20 bugs” framing, basically saying: it’s a hobby project, not the plumbing of the internet—let’s not act like civilization is ending. Then came the spicy subplot: complaints that some AI models make security testing awkward because of safety blocks, prompting one commenter to sneer that “mythos is just that, a myth.” Meanwhile, a more optimistic voice pitched the true dream scenario: chain multiple AI steps together—find issues, explain them, build test cases, then fix them. In other words, the comments weren’t just reacting to bugs; they were fighting over whether AI is a watchdog, a diva, or both.
Key Points
- •Andrea Pivetta says AI agents found more than 20 security vulnerabilities in his Go-based WebAssembly runtime, Epsilon.
- •The reported flaws include denial-of-service bugs, API design issues, and sandbox escapes between WebAssembly modules.
- •Epsilon is described as an interpreter-only runtime with no JIT, intended to embed a sandbox for potentially untrusted code.
- •The article explains that Epsilon relies on WebAssembly validation rather than runtime type checks and represents `funcref` values as `int32` indexes in a shared global function store.
- •The first exploit described, "Zero Is Not Null," depends on Epsilon treating `0` and a reference to function store index 0 equivalently, enabling an unintended indirect call to a private function in another module.