AI is Breaking Two Vulnerability Cultures
AI-assisted scanning finds vulnerabilities faster than embargoes can contain them.
A week ago, the Linux kernel vulnerability known as 'Copy Fail' emerged. Hyunwoo Kim immediately realized the initial fixes were insufficient and shared a patch the same day, following standard Linux procedure: report to a closed list of security engineers while quietly fixing the bug. The goal was to embargo knowledge of the serious flaw for a few days, allowing time for patches to roll out. However, another developer noticed the change, recognized its security implications, and disclosed it publicly. The embargo was broken, and full details became available.
This incident highlights a growing tension between two vulnerability cultures. Coordinated disclosure gives vendors 90 days to fix a bug before going public. The 'bugs are bugs' culture in Linux advocates fixing silently to avoid drawing attention. Neither approach works well when AI-assisted groups are scanning software for vulnerabilities at unprecedented speed. Just nine hours after Kim reported the ESP vulnerability, another researcher independently found it. AI also helps defenders: tested on Gemini 3.1 Pro, ChatGPT-Thinking 5.5, and Claude Opus 4.7, all three models readily identified security patches from diffs. The author argues for very short embargoes that get even shorter over time, enabled by AI that can accelerate both attack and defense.
- Copy Fail vulnerability in Linux kernel; Hyunwoo Kim patched it within hours.
- Another researcher publicly disclosed the flaw after noticing the patch, breaking the embargo.
- AI models (Gemini, GPT, Claude) can now cheaply analyze diffs to identify security fixes, raising signal-to-noise ratio.
Why It Matters
Short embargoes and AI-driven security reviews are becoming essential as AI accelerates vulnerability discovery on both sides.