AI Is Breaking Two Vulnerability Cultures
Source: Hacker News
A week ago the Copy Fail vulnerability was disclosed, and Hyunwoo Kim immediately realized that the fixes were insufficient, sharing a patch the same day. In doing this he followed standard Linux networking procedure: share the security impact with a closed list of Linux security engineers while fixing the bug quietly and efficiently in the open. His goal was that, with only the raw fix public, the knowledge that a serious vulnerability existed could be “embargoed”—the people in a position to address it know, but they’ve agreed not to say anything for a few days.
Someone else noticed the change, realized the security implications, and shared it publicly. Since it was now out, the embargo was deemed over, and we can now see the full details.
Coordinated Disclosure vs. “Bugs Are Bugs” Culture
Coordinated disclosure
This is probably the most common approach in computer security. When you discover a security bug you tell the maintainers privately and give them some amount of time (often 90 days) to fix it. The goal is that a fix is out before anyone learns about the hole.
“Bugs are bugs” culture
Especially common in Linux, the argument is that if the kernel is doing something it shouldn’t, then someone somewhere may be able to turn it into an attack. The response is to fix things as quickly as possible, without drawing attention to them. Often people won’t notice, given the volume of changes, and there’s still time to get machines patched.
AI’s Effect on Vulnerability Handling
This approach never worked perfectly, but with AI getting good at finding vulnerabilities it becomes a much bigger problem. So many security fixes are coming out now that examining commits is far more attractive: the signal‑to‑noise ratio is higher. Additionally, having AI evaluate each commit as it passes is increasingly cheap and effective.¹
Long embargoes also struggle in the AI era. Historically, detection was slow: if you reported a bug with a 90‑day window, there was a good chance no one else would notice during that time. Now, many AI‑assisted groups scan software for vulnerabilities, so that no longer holds. In this case, just nine hours after Kim reported the ESP vulnerability, Kuan‑Ting Chen independently reported it as well. Embargoes can increase risk: they create a false sense of non‑urgency and limit which actors can work to fix a flaw.
Toward Shorter Embargoes
I don’t know how to resolve this tension, but personally very short embargoes seem like a good approach, and they’d need to get even shorter over time. Luckily AI can speed up defenders as well as attackers, allowing embargoes that would previously have been uselessly short.
AI Evaluation Test (Footnote)
¹ I tested on Gemini 3.1 Pro, ChatGPT‑Thinking 5.5, and Claude Opus 4.7. All three got it right away when given the commit f4c50a403. When I gave them just the diff—imagining a hypothetical future where diffs are still public right away but with less context—Gemini was sure it was a security fix, GPT thought it probably was, and Claude thought it probably wasn’t. This is a very quick test to illustrate what’s possible: one run of each with the prompt “Without searching, does this look like a security patch?”
Don’t put much stock in the cross‑model comparison!