OpenAI’s Dave Aitel talks Aardvark, economics of bug-hunting with LLMs

Three Buddy Problem - Episode 70: Dave Aitel from OpenAI's technical staff joins the buddies to discuss the just-launched Aardvark, OpenAI’s agentic “security researcher” that claims to read code, finds bugs, validates exploits, and ships patches. We press him on where LLMs beat fuzzers, privacy boundaries, human-in-the-loop realities, SDLC budgets, pen-test cadence, and the zero-day economy.

Plus, L3 Harris/Trenchant exec pleads guilty to selling exploits to Russian brokers, Kaspersky catches the return of HackingTeam using Chrome zero-day exploit chain, and news of a proposed law in Russia to force researchers to report vulnerabilities first to goverment agencies.

Cast: Dave Aitel (Technical Staff, OpenAI), Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.

• Transcript (unedited, AI-generated)
• Episode 70 Livestream - YouTube
• Aardvark: OpenAI’s agentic security researcher
• TBP episode on OpenAI’s Aardvark
• How I used o3 to find CVE-2025-37899, a remote zeroday vulnerability in the Linux kernel’s SMB implementation
• Ex-US cyber intel exec pleads guilty to selling spy tools to Russian broker
• Ex-L3Harris Cyber Boss Pleads Guilty to Selling Trade Secrets to Russian Firm
• Kim Zetter: Former Trenchant Exec Sold Stolen Code to Russian Buyer Even After Learning that Other Code He Sold Was Being "Utilized" by Different Broker in South Korea
• How we linked ForumTroll APT to Dante spyware by Memento Labs
• CEO of spyware maker Memento Labs confirms one of its government customers was caught using its malware
• Russia's new vuln disclosure law proposal
• TBP Live in Ottawa
• Binding Hook Live
• State of Statecraft
• Ekoparty Miami