Bugcrowd launches reinforcement learning environments to train AI on real software vulnerabilities

Crowdsourced cybersecurity company Bugcrowd Inc. today launched Reinforcement Learning Environments, a new offering that lets frontier artificial intelligence labs train models on real vulnerable software rather than synthetic test data.

The product is built on technology Bugcrowd picked up through its acquisition of Mayhem Security in November and is already in use with large language model providers. Bugcrowd describes the offering as a way to compress what would typically be years of in-house engineering work into a few weeks.

Reinforcement learning, the technique behind much of the recent progress in agentic AI, requires environments where a model can take actions, observe outcomes and receive a reward signal. Bugcrowd argues that security has been underserved on that front because most existing training data is synthetic and does not mirror how vulnerabilities behave in production code. Models that score well on curated benchmarks often stumble when they hit real flaws.

The new platform supplies what the company calls hundreds of thousands of training environments, each built from open-source software with real source code and verifiable outcomes. AI agents are tasked with locating bugs, triggering them, assessing exploitability and producing fixes, with objective scoring at every step. Bugcrowd says no customer data or work from its researcher community is used in the environments.

The launch extends a strategy that began with the Mayhem deal, which brought autonomous code and application programming interface testing into the Bugcrowd platform. Mayhem, founded in 2012 by Carnegie Mellon researchers David Brumley and Thanassis Avgerinos, was built on symbolic execution and fuzzing techniques originally developed for the Defense Advanced Research Projects Agency’s Cyber Grand Challenge. Bugcrowd is now aiming that same toolchain upstream, at the labs building the models that downstream security teams will eventually deploy.

“The gap between what AI agents are trained on and what they encounter in the real world is where security breaks down,” explains Dave Gerry, chief executive officer of BugCrowd. “Our RL Environments give frontier teams the infrastructure to build AI that learns security from real vulnerabilities, not approximations of them.”

Bugcrowd is also releasing ExploitBench, a framework for measuring the exploit-development capabilities of AI models. Both efforts target a thin slice of the AI infrastructure stack that has drawn growing interest from model developers trying to push agents past detection and into the harder territory of validated exploitation and patching.

David Brumley, chief AI and science officer at Bugcrowd and a co-founder of Mayhem, said the company has spent years building the graders and reward structures needed to train models across the full security lifecycle. “You cannot train a model to be good at security by showing it what security looks like, you have to give it real problems to solve and honest feedback on whether it solved them,” Brumley said.

Bugcrowd has raised about $180 million to date, including a $102 million strategic growth round in February 2024 led by General Catalyst and a $30 million round in April 2020 led by Rally Ventures. Other investors include Blackbird Ventures Pty Ltd., Costanoa Ventures Capital Management, Industry Ventures, Paladin Capital Group, Salesforce Ventures and Triangle Peak Partners LP.

Image: SiliconANGLE/Ideogram