AI Breaking Two Vulnerability Disclosure Cultures in Security
Original: AI is breaking two vulnerability cultures
Why This Matters
Shows how AI acceleration is fundamentally changing cybersecurity disclosure practices.
Jeff Kaufman analyzes how AI is disrupting traditional vulnerability disclosure practices in cybersecurity. The Copy Fail vulnerability case shows tension between coordinated disclosure and open-source fix cultures, as AI tools make detecting security patches easier and faster, reducing embargo effectiveness.
The article examines how AI acceleration is challenging established vulnerability disclosure practices through the Copy Fail case. Hyunwoo Kim followed Linux protocol by sharing security impact privately while fixing openly, but someone noticed the change and disclosed it publicly within hours. Two competing cultures exist: coordinated disclosure (90-day private reporting to vendors) and Linux's 'bugs are bugs' approach (quick open fixes without highlighting). AI now makes examining commits more attractive due to higher signal-to-noise ratio and can cheaply evaluate each commit. The author tested Gemini 3.1 Pro, ChatGPT-Thinking 5.5, and Claude Opus 4.7 on security patch detection - all identified vulnerabilities immediately. Kuan-Ting Chen independently reported the ESP vulnerability just nine hours after Kim's report, demonstrating how AI-assisted scanning reduces embargo effectiveness.