An Inexperienced Engineer Discovers Vulnerabilities in ClickHouse – Here’s How It Happened

What Happened

Tsvetan Stoychev, a former lead engineer at Akamai, shared his experience of finding vulnerabilities in the code of the popular database ClickHouse. Utilizing modern AI tools like GitHub Copilot and Claude Opus, he was able to identify real issues in the system, despite lacking formal education in cybersecurity. For his discoveries, he received rewards through ClickHouse's bug bounty program.

Why This Matters

This case highlights that AI tools can significantly simplify the vulnerability discovery process even for those who are not experts in the field. This may lead to an increase in the number of people capable of contributing to software security, which in turn will enhance the overall security of technology. In the face of rising cyberattack threats, such initiatives are becoming particularly relevant.

Context

Bug bounty programs are becoming increasingly popular among companies looking to improve the security of their products. They allow anyone to report found vulnerabilities in exchange for financial rewards. With the evolution of AI and automated tools like Copilot, the process of finding vulnerabilities is becoming more accessible and less reliant on expert experience.

What It Means

Tsvetan Stoychev's experience demonstrates that AI can serve as a powerful tool for vulnerability discovery, enabling individuals without deep security knowledge to identify serious issues. This opens up new avenues for participation in the security of IT products and may lead to an overall increase in industry security standards. In the future, we are likely to see more instances where non-experts armed with AI find vulnerabilities and contribute to improving software security.