JetBrains' Holistic Approach to Collaborative AI
Neural Networks in the Pursuit of Cryptographic Vulnerabilities

While modern cryptography is built upon a foundation of mathematical perfection, the translation of these concepts into executable code often remains the weakest link. This vulnerability served as the catalyst for a recent study by zkSecurity, which deployed its proprietary AI pipeline to scrutinize CIRCL—Cloudflare's experimental cryptographic library. The effort yielded seven confirmed vulnerabilities, the majority of which were rewarded through the company's bug bounty program. However, the true value of this case lies not in the quantity of bugs discovered, but in the analysis of the cognitive capabilities of the models that found them.
The centerpiece of the audit was the discovery of a critical flaw within an encryption scheme governed by intricate access policies. In a flawless implementation, decryption should have been contingent upon a confluence of conditions—for instance, requiring a user's key to align simultaneously with a specific department and a particular geographic region. In essence, it was designed as a vault requiring the simultaneous turn of multiple keys.
However, a single-line coding error compromised the integrity of this "lock." It emerged that a single key sufficed for data access. The vulnerability was compounded by the fact that a service tag—which effectively functioned as the first mandatory key—was present in every token issued to users. Consequently, any access policy became moot: any key holder could decrypt any message. Cloudflare officially classified this incident as critical.
The distribution of labor among the tools was particularly telling. The most perilous vulnerability was unearthed by zkao, zkSecurity's proprietary AI agent specifically engineered for code auditing. The remaining six errors were split between Claude Opus 4.6 and GPT-5.3. Throughout the process, the researchers emphasized the indispensable nature of the "human-in-the-loop" paradigm. While the neural networks generated hypotheses and flagged suspicious code segments, human experts were required to verify actual exploitability and manage the disclosure process. At the current stage of technological evolution, the marginal cost of generating potential bug candidates has plummeted to near zero, yet the level of trust in raw AI-generated reports remains low.
An analysis of model behavior revealed several systemic idiosyncrasies, particularly regarding risk assessment. AI demonstrates a fundamental inability to accurately gauge the severity of its own findings. In most instances, models tend to catastrophize trivial errors while underestimating genuinely perilous attack vectors. A prime example was an attack on BLS (Boneh-Lynn-Shacham) aggregate signatures, which was erroneously classified as a medium-severity vulnerability. This confirms the thesis that criticality assessment is a contextual business process requiring human judgment, rather than a simple exercise in code pattern analysis.
Another critical takeaway was the extreme volatility in model performance. During the initial scanning phase, Claude Opus 4.6 played the dominant role, while GPT-5.3 served merely as a reviewer. However, a few weeks later, following updates to Opus 4.7 and GPT-5.4, the situation reversed: GPT became the primary generator of findings, and Claude shifted into a verification role.
This phenomenon suggests that leadership in the realm of automated code analysis can shift with a single model release. For the professional community, this renders brand loyalty to a specific LLM obsolete. An effective pipeline must be modular and agile, allowing for the rapid swapping of "intelligence" layers based on real-time performance metrics.

