Cloudflare's CIRCL cryptography library underpins experimental privacy and post quantum systems.
When zkSecurity ran its AI audit pipeline against Cloudflare's CIRCL, an experimental cryptography library for privacy and post-quantum systems, it surfaced seven real bugs. The list reads like a stress test of the field's most trusted layer: a float64 precision loss in threshold RSA polynomial evaluation, a DLEQ proof forgery, a BLS aggregate verification gap, and a complete access-control break in attribute-based encryption. All seven are fixed upstream, and most were paid out under Cloudflare's HackerOne program.
Cloudflare built CIRCL as a home for advanced and post-quantum primitives: curve operations used in threshold signing, BLS aggregation, HPKE, and identity-based encryption. A bug in any of those code paths can outlive the project that imports it, which is why the bug list, published this week by zkSecurity, reads less like a project postmortem than an inventory of where AI auditors actually point.
The pipeline that found them is called zkao. The experiment ran it in two configurations: a plain LLM with a simple prompt, and a second LLM paired with curated skills maintained by zkSecurity's human researchers, encoding years of cryptographic audit know-how into routines the agent could call. On CIRCL, the second configuration did almost all of the work. Six of the seven bugs were credited to Claude Opus 4.6 with skills, one to GPT-5.3 with skills, and only the seventh, the CP-ABE access-control break, came from zkao operating on its own. The split matches the argument zkSecurity has been making in print: AI auditors need domain scaffolding to surface the bugs real cryptography hides, and prompts alone plateau quickly.
Humans on zkSecurity's team validated each issue, checked exploitability, minimized proof-of-concept code where needed, and handled disclosure. That human-in-the-loop step still matters because AI candidates are cheap while trustworthy reports are not, and the CP-ABE finding is the only one in this batch where the agent reached the finish line without a human reviewer steering it.
Cloudflare's confirmed severity diverged from the AI's calls on most of the bugs. The float64 precision loss in threshold RSA was rated critical by zkSecurity's agent because it produces wrong key shares when polynomial terms overflow a 53-bit float mantissa, and downgraded to low by the maintainer on the grounds that the affected player and threshold parameters are unlikely in production. A DLEQ proof forgery via a prover-controlled security parameter moved from high to low after maintainer review. Lagrange coefficients computed in int64 dropped from high to medium. The BLS aggregate verification gap went the other way: AI rated it medium, Cloudflare rated it high. Only the CP-ABE access-control break was graded critical by both sides.
Four of the seven bugs were rated more severe by the AI than by the maintainer's triagers, one was rated less severe, and two carried matching grades. That gap matters more than the seven itself. An audit that rates everything critical trains operators to ignore the channel; one that misses severity misses the deployment calculus of which findings gate a CVE, which deserve a CVE at all, and which belong only in a CHANGELOG. zkSecurity flagged the gap as a feature to study, not a flaw to apologize for, treating the AI as a measurement instrument with known noise rather than a verdict machine.
For security programs that already pay bounties, the candidate stream compresses the human review time on triage and disclosure rather than on the search itself. For firms that bill by the audit, the open question is whether the new pipeline devalues the search step or shifts pricing toward severity judgment.
Discussion on Hacker News, roughly nine points and 35 minutes old at scout time, has been reaction rather than reporting (thread). The next test of the methodology is zkSecurity's stated plan: keep the AI running across open-source cryptography until the bug rate stops falling. If CIRCL is the first data point, the second will show whether the pipeline plateaus on the next clean codebase or scales into a durable layer of the audit stack.