AI is Breaking Two Vulnerability Cultures
AI is collapsing both major vulnerability disclosure models simultaneously: quiet Linux-style fixes get flagged by AI diff scanners, and 90-day embargoes face parallel independent discovery within hours.
What Matters
- Linux’s “bugs are bugs” culture assumes noise hides security fixes; AI commit analysis breaks that assumption by evaluating every diff cheaply and systematically.
- Coordinated disclosure is also failing: Hyunwoo Kim reported the ESP vulnerability; Kuan-Ting Chen independently found it just 9 hours later.
- Gemini 1.5 Pro, GPT o1, and Claude Opus identified commit f4c50a403 as a security fix immediately when given full context; results diverged on raw diff alone.
- Embargoes create false non-urgency and restrict the defender pool—two compounding harms when exploit generation is accelerating.
- Author’s proposed response: very short embargoes, shrinking further over time, with AI-assisted defenders closing the gap.
- [HN: @freeqaz] Log4Shell followed this exact pattern—patch pushed to git, black hats spotted the fix, attacks started before the coordinated disclosure date.
- [HN: @rikafurude21] Shorter embargoes don’t help orgs that take days or weeks to patch; cheaper exploit generation may widen the gap between fast and slow responders.
