I don't know, but given how often Gemini refuses benign requests IME, I would suspect it's a complete non-starter for finding security holes.