Why AI Is Breaking Traditional Vulnerability Disclosure
Key Takeaways
- AI tools can now identify security vulnerabilities within hours, making traditional 90-day embargoes dangerous
- Both 'coordinated disclosure' and 'bugs are bugs' security cultures face new pressures from AI-assisted scanning
- A recent ESP vulnerability was independently discovered by two researchers just 9 hours apart
For decades, the security industry has operated on two competing philosophies for handling discovered vulnerabilities. One camp favors coordinated disclosure with 90-day embargoes. The other prefers fixing bugs quietly without drawing attention. Both approaches assumed one thing: that finding vulnerabilities takes time.
AI just broke that assumption.
Two Security Cultures at a Crossroads
The tension surfaced recently when someone noticed a security-relevant change, understood its implications, and shared it publicly. The embargo collapsed. The full details are now visible. What happened illustrates a growing problem that will only accelerate.
Coordinated disclosure is probably the most common approach in computer security. You find a bug, tell the maintainers privately, and give them time to fix it. The standard window is 90 days. The goal is simple: get patches deployed before attackers learn about the hole.
The competing philosophy, especially common in Linux kernel development, treats bugs as bugs. If the kernel is doing something it shouldn't, someone somewhere might turn it into an attack. Just fix things quickly without drawing attention. With thousands of commits flowing through, most people won't notice the security-relevant ones. Patches ship, machines update, and the window of exploitation stays small.
Why Quiet Patching No Longer Works
The 'bugs are bugs' approach never worked perfectly. It relied on security fixes hiding in plain sight among routine changes. Attackers had to manually review commit after commit, hoping to spot something exploitable. The signal-to-noise ratio was terrible.
AI changed the economics. With AI tools getting better at identifying vulnerabilities, examining every commit becomes attractive. The signal-to-noise ratio has flipped. Having AI evaluate each commit as it passes is now cheap and effective.
Security researcher Jeff Keselman tested this directly. He fed a specific kernel commit to Gemini 3.1 Pro, ChatGPT-Thinking 5.5, and Claude Opus 4.7. He asked each one: without searching, does this look like a security patch?
All three identified it immediately.
When given just the diff without surrounding context, the models showed more variation. Gemini remained confident it was a security fix. GPT thought it probably was. Claude thought it probably wasn't. But the point stands: AI can now flag security-relevant commits faster than most humans can read them.
Long Embargoes Create False Security
If quiet patching is failing, coordinated disclosure should be winning. It isn't.
The 90-day window worked when vulnerability discovery was slow. If you found something and reported it to a vendor, the odds that someone else would independently discover the same flaw during those three months were low. You could afford to wait.
That assumption is now broken. In a recent case involving an ESP vulnerability, Kim reported it to the vendor. Nine hours later, Kuan-Ting Chen independently reported the same flaw. Two researchers, same vulnerability, same day. This pattern will repeat.
With so many AI-assisted groups scanning software for vulnerabilities, parallel discovery is becoming the norm. An embargo doesn't protect the vulnerability from being found. It protects it from being fixed.
Embargoes create two additional problems. First, they generate a false sense of non-urgency. Teams think they have 90 days. They schedule the fix for sprint four. Meanwhile, an AI-assisted attacker found it on day three. Second, embargoes limit who can work on the problem. Only people inside the disclosure agreement can contribute to the fix. That slows everything down.
The Case for Very Short Embargoes
Neither existing approach handles AI-accelerated vulnerability discovery well. A third path might work: very short embargoes that get shorter over time.
The logic is straightforward. If AI can find a vulnerability in hours, the embargo period should be measured in hours or days, not months. Give defenders just enough time to prepare a patch, then release everything simultaneously.
This sounds impractical. Writing, testing, and deploying patches takes time. But AI speeds up defenders too. The same tools that help attackers find bugs can help maintainers fix them. Code analysis that once took days can finish in minutes. Regression testing can run in parallel.
Embargoes that would have been uselessly short five years ago might actually work now. A 48-hour window with AI-assisted patch development could outperform a 90-day window with traditional methods.
What This Means for Security Teams
Security teams should assume three things going forward.
- Any vulnerability you find, someone else will find soon. The window of exclusivity is shrinking to near zero.
- Any commit you publish will be analyzed by AI within hours. Hiding security fixes in routine updates no longer works.
- Speed matters more than ever. The team that patches fastest wins. Everything else is negotiation over how much damage happens in between.
Organizations relying on 90-day disclosure windows should reconsider. That timeline assumes attackers won't find the same bug during the embargo period. That assumption is increasingly false.
Logicity's Take
Frequently Asked Questions
What is coordinated vulnerability disclosure?
Coordinated disclosure means reporting a security flaw to the software maintainer privately and giving them time (often 90 days) to fix it before public announcement. The goal is deploying patches before attackers learn about the vulnerability.
Why are AI tools changing vulnerability disclosure timelines?
AI tools can identify security-relevant code changes within hours, not months. This means attackers can find vulnerabilities during traditional embargo periods, making long disclosure windows more dangerous than protective.
What is the 'bugs are bugs' security culture?
Popular in Linux kernel development, this approach treats security fixes like any other bug fix. The idea is to patch quickly without drawing attention, hoping the fix ships before anyone notices the underlying vulnerability.
How fast can AI identify security vulnerabilities in code commits?
In tests with Gemini, ChatGPT, and Claude, all three models correctly identified a security patch immediately when given the full commit. Even with limited context, some models still flagged it as likely security-relevant.
What are very short embargoes in vulnerability disclosure?
Very short embargoes (hours or days instead of months) give defenders just enough time to prepare patches before public disclosure. AI-assisted development tools can make these compressed timelines feasible.
Another look at how organizations handle security incidents under pressure
Recent Linux kernel vulnerability and practical mitigation steps
Need Help Implementing This?
Source: Hacker News: Best
Huma Shazia
Senior AI & Tech Writer
Related Articles
Browse all
Robotaxi Companies Are Hiding How Often Humans Take the Wheel
Autonomous vehicle firms like Waymo and Tesla are under scrutiny for refusing to disclose how often remote operators step in to control their self-driving cars. A Senate investigation reveals major gaps in transparency, raising safety and accountability concerns.
Wisconsin Governor Throws a Wrench in Age Verification Plans
Wisconsin Governor Tony Evers has vetoed a bill that would have required residents to verify their age before accessing adult content online, citing concerns over privacy and data security. This move comes as several other states have already implemented similar age check requirements. The veto has significant implications for the future of online age verification.
Apple's App Store Empire Under Siege: The Battle for the Future of Tech
The long-running feud between Apple and Epic Games has reached a boiling point, with Apple preparing to take its case to the Supreme Court. The tech giant is fighting to maintain control over its App Store, while Epic Games is pushing for more freedom for developers. The outcome could have far-reaching implications for the entire tech industry.
Tesla's Remote Parking Feature: The Investigation That Didn't Quite Park Itself
The US auto safety regulators have closed their investigation into Tesla's remote parking feature, but what does this mean for the future of autonomous driving? We dive into the details of the investigation and what it reveals about the technology. The National Highway Traffic Safety Administration found that crashes were rare and minor, but the investigation's closure doesn't necessarily mean the feature is completely safe.
Also Read
Canvas Data Breach: Schools Negotiated Directly With Hackers
The ShinyHunters hacking group stole 6.65 terabytes of student data from educational platform Canvas in April. Some affected schools bypassed the platform's parent company and contacted the hackers directly to prevent data release. The breach disrupted end-of-year activities for students across nearly 9,000 schools worldwide.
DJI Mini 4K Drone Drops to $209 in Limited Amazon Sale
The beginner-friendly DJI Mini 4K quadcopter is 30% off at Amazon, with the base model at $209 and the Fly More Combo at $309. The sub-249g drone requires no FAA registration and offers 31 minutes of flight time with 4K video stabilization.
Pentagon Releases 161 Declassified UFO Files With 30 Videos
The Pentagon published its first batch of declassified UAP files on May 8, responding to President Trump's February directive. The release includes 161 files with nearly 30 videos showing unidentified objects captured by military sensors, plus eyewitness accounts from Apollo astronauts.