Why AI Is Breaking Traditional Vulnerability Disclosure

Key Takeaways

• AI tools can now identify security vulnerabilities within hours, making traditional 90-day embargoes dangerous
• Both 'coordinated disclosure' and 'bugs are bugs' security cultures face new pressures from AI-assisted scanning
• A recent ESP vulnerability was independently discovered by two researchers just 9 hours apart

For decades, the security industry has operated on two competing philosophies for handling discovered vulnerabilities. One camp favors coordinated disclosure with 90-day embargoes. The other prefers fixing bugs quietly without drawing attention. Both approaches assumed one thing: that finding vulnerabilities takes time.

AI just broke that assumption.

Two Security Cultures at a Crossroads

The tension surfaced recently when someone noticed a security-relevant change, understood its implications, and shared it publicly. The embargo collapsed. The full details are now visible. What happened illustrates a growing problem that will only accelerate.

Coordinated disclosure is probably the most common approach in computer security. You find a bug, tell the maintainers privately, and give them time to fix it. The standard window is 90 days. The goal is simple: get patches deployed before attackers learn about the hole.

The competing philosophy, especially common in Linux kernel development, treats bugs as bugs. If the kernel is doing something it shouldn't, someone somewhere might turn it into an attack. Just fix things quickly without drawing attention. With thousands of commits flowing through, most people won't notice the security-relevant ones. Patches ship, machines update, and the window of exploitation stays small.

Why Quiet Patching No Longer Works

The 'bugs are bugs' approach never worked perfectly. It relied on security fixes hiding in plain sight among routine changes. Attackers had to manually review commit after commit, hoping to spot something exploitable. The signal-to-noise ratio was terrible.

AI changed the economics. With AI tools getting better at identifying vulnerabilities, examining every commit becomes attractive. The signal-to-noise ratio has flipped. Having AI evaluate each commit as it passes is now cheap and effective.

Security researcher Jeff Keselman tested this directly. He fed a specific kernel commit to Gemini 3.1 Pro, ChatGPT-Thinking 5.5, and Claude Opus 4.7. He asked each one: without searching, does this look like a security patch?

All three identified it immediately.

When given just the diff without surrounding context, the models showed more variation. Gemini remained confident it was a security fix. GPT thought it probably was. Claude thought it probably wasn't. But the point stands: AI can now flag security-relevant commits faster than most humans can read them.

Long Embargoes Create False Security

If quiet patching is failing, coordinated disclosure should be winning. It isn't.

The 90-day window worked when vulnerability discovery was slow. If you found something and reported it to a vendor, the odds that someone else would independently discover the same flaw during those three months were low. You could afford to wait.

That assumption is now broken. In a recent case involving an ESP vulnerability, Kim reported it to the vendor. Nine hours later, Kuan-Ting Chen independently reported the same flaw. Two researchers, same vulnerability, same day. This pattern will repeat.

With so many AI-assisted groups scanning software for vulnerabilities, parallel discovery is becoming the norm. An embargo doesn't protect the vulnerability from being found. It protects it from being fixed.

Embargoes create two additional problems. First, they generate a false sense of non-urgency. Teams think they have 90 days. They schedule the fix for sprint four. Meanwhile, an AI-assisted attacker found it on day three. Second, embargoes limit who can work on the problem. Only people inside the disclosure agreement can contribute to the fix. That slows everything down.

The Case for Very Short Embargoes

Neither existing approach handles AI-accelerated vulnerability discovery well. A third path might work: very short embargoes that get shorter over time.

The logic is straightforward. If AI can find a vulnerability in hours, the embargo period should be measured in hours or days, not months. Give defenders just enough time to prepare a patch, then release everything simultaneously.

This sounds impractical. Writing, testing, and deploying patches takes time. But AI speeds up defenders too. The same tools that help attackers find bugs can help maintainers fix them. Code analysis that once took days can finish in minutes. Regression testing can run in parallel.

Embargoes that would have been uselessly short five years ago might actually work now. A 48-hour window with AI-assisted patch development could outperform a 90-day window with traditional methods.

What This Means for Security Teams

Security teams should assume three things going forward.

1. Any vulnerability you find, someone else will find soon. The window of exclusivity is shrinking to near zero.
2. Any commit you publish will be analyzed by AI within hours. Hiding security fixes in routine updates no longer works.
3. Speed matters more than ever. The team that patches fastest wins. Everything else is negotiation over how much damage happens in between.

Organizations relying on 90-day disclosure windows should reconsider. That timeline assumes attackers won't find the same bug during the embargo period. That assumption is increasingly false.

Frequently Asked Questions

What is coordinated vulnerability disclosure?

Coordinated disclosure means reporting a security flaw to the software maintainer privately and giving them time (often 90 days) to fix it before public announcement. The goal is deploying patches before attackers learn about the vulnerability.

Why are AI tools changing vulnerability disclosure timelines?

AI tools can identify security-relevant code changes within hours, not months. This means attackers can find vulnerabilities during traditional embargo periods, making long disclosure windows more dangerous than protective.

What is the 'bugs are bugs' security culture?

Popular in Linux kernel development, this approach treats security fixes like any other bug fix. The idea is to patch quickly without drawing attention, hoping the fix ships before anyone notices the underlying vulnerability.

How fast can AI identify security vulnerabilities in code commits?

In tests with Gemini, ChatGPT, and Claude, all three models correctly identified a security patch immediately when given the full commit. Even with limited context, some models still flagged it as likely security-relevant.

What are very short embargoes in vulnerability disclosure?

Very short embargoes (hours or days instead of months) give defenders just enough time to prepare patches before public disclosure. AI-assisted development tools can make these compressed timelines feasible.

Source: Hacker News: Best