AI Is Breaking the Two Vulnerability Cultures: Coordinated Disclosure vs. Linux's "Bugs Are Bugs"

Jeff Kaufman's post "AI Is Breaking Two Vulnerability Cultures" examines the tension between coordinated disclosure and Linux's "bugs are bugs" approach, accelerated by AI. The Copy Fail vulnerability (reported May 2026) illustrates the breakdown: Hyunwoo Kim followed standard Linux procedure — privately sharing with a closed list of security engineers while fixing quietly in the open. But someone noticed the diff, realized the security implications, and went public immediately, ending the embargo.

The Two Cultures

• Coordinated disclosure: Report privately, give maintainers ~90 days to fix. Goal: patch before public knows. But with AI-assisted scanning, independent rediscovery is common — in this case, just 9 hours after Kim's report, Kuan-Ting Chen independently found the same bug.
• Linux "bugs are bugs": Fix fast without drawing attention. The argument: if the kernel does something wrong, someone may weaponize it. But as AI gets good at finding vulnerabilities, the signal-to-noise ratio of commits rises, making examination more attractive and cheaper.

Why AI Changes Everything

Kaufman tested three AI models on the fix (f4c50a403): Gemini 3.1 Pro, ChatGPT-Thinking 5.5, and Claude Opus 4.7 all identified it as a security patch instantly. Even with just the diff (no context), Gemini was sure, GPT probable, Claude probable. This means embargoes — even short ones — are increasingly fragile: defenders can use AI too, but attackers can scan commits faster.

Kaufman suggests very short embargoes (and shortening further over time) as a pragmatic response, leveraging AI to accelerate defenders. Long embargoes create a false sense of non-urgency and limit who can work on fixes.

Read the full post for deeper analysis and the specific prompt Kaufman used for testing.