Vulnerability Reports No Longer Hold Special Status

Filippo Valsorda, former lead of the Go Security team, contends that the traditional framework treating vulnerability reports as special obligations has become outdated. Historically, maintainers believed they owed security researchers responsiveness and attribution because researchers provided scarce insights and maintained confidentiality to allow time for fix deployment before public disclosure. However, Valsorda argues these premises no longer hold in 2026. Large language models now match or exceed the capabilities of most security researchers, and anyone—maintainers, attackers, and researchers alike—can run them. Security insights are no longer scarce or precious, making the bottleneck shift from vulnerability discovery to triage assessment. External researchers cannot meaningfully contribute to triage processes without established trust relationships, and analyzing LLM output has similar signal-to-noise ratios as processing security email inboxes. Additionally, confidentiality and embargo coordination matter less because attackers can independently query LLMs to discover vulnerabilities rather than relying on full disclosure posts. Valsorda suggests the era of vulnerability reports being special may have ended, marking an uncomfortable but necessary transition. He proposes that maintainers should focus on triage, rapid remediation, and prevention—integrating LLM analysis into continuous integration pipelines rather than relying on traditional security researcher workflows.