AI Is Breaking the Two Vulnerability Cultures: Coordinated Disclosure vs. Linux's "Bugs Are Bugs"

Jeff Kaufman's post "AI Is Breaking Two Vulnerability Cultures" examines the tension between coordinated disclosure and Linux's "bugs are bugs" approach, accelerated by AI. The Copy Fail vulnerability (reported May 2026) illustrates the breakdown: Hyunwoo Kim followed standard Linux procedure — privately sharing with a closed list of security engineers while fixing quietly in the open. But someone noticed the diff, realized the security implications, and went public immediately, ending the embargo.
The Two Cultures
- Coordinated disclosure: Report privately, give maintainers ~90 days to fix. Goal: patch before public knows. But with AI-assisted scanning, independent rediscovery is common — in this case, just 9 hours after Kim's report, Kuan-Ting Chen independently found the same bug.
- Linux "bugs are bugs": Fix fast without drawing attention. The argument: if the kernel does something wrong, someone may weaponize it. But as AI gets good at finding vulnerabilities, the signal-to-noise ratio of commits rises, making examination more attractive and cheaper.
Why AI Changes Everything
Kaufman tested three AI models on the fix (f4c50a403): Gemini 3.1 Pro, ChatGPT-Thinking 5.5, and Claude Opus 4.7 all identified it as a security patch instantly. Even with just the diff (no context), Gemini was sure, GPT probable, Claude probable. This means embargoes — even short ones — are increasingly fragile: defenders can use AI too, but attackers can scan commits faster.
Kaufman suggests very short embargoes (and shortening further over time) as a pragmatic response, leveraging AI to accelerate defenders. Long embargoes create a false sense of non-urgency and limit who can work on fixes.
Read the full post for deeper analysis and the specific prompt Kaufman used for testing.
📖 Read the full source: HN AI Agents
👀 See Also

Cybercriminals Are Pushing Back Against AI-Generated Slop on Underground Forums
New research shows low-level hackers and scammers are complaining about AI-generated posts on cybercrime forums, viewing them as low-quality noise that undermines community trust and social interaction.

AI System Discovers 12 OpenSSL Zero-Days, Curl Cancels Bug Bounty Due to AI Spam
AISLE's AI system discovered all 12 zero-day vulnerabilities in OpenSSL's recent security release, marking the first large-scale demonstration of AI-based cybersecurity. Meanwhile, curl cancelled its bug bounty program due to AI-generated spam submissions.

Securing OpenClaw Infrastructure with Pomerium Identity-Aware Proxy
Use Pomerium as an identity-aware proxy for zero-trust authentication to secure OpenClaw server access.

OpenAI's June 2026 Threat Report: AI Agents Used for Malicious Activities
OpenAI's latest threat report details how AI agents are being used for disinformation, phishing, and fraud, with specific incident data and mitigation strategies.