Jeff Kaufman · 2026-05-08 · major
Jeff Kaufman: AI Is Breaking Two Vulnerability Cultures
AI vulnerability scanners are eroding both 90-day coordinated disclosure and Linux's 'just fix it quietly' tradition. Kaufman argues for very short, decreasing embargoes as the new normal.
AI scanners ended both 90-day embargoes and Linux's 'fix it quietly' culture in the same week — Jeff Kaufman maps what comes next.
What is it?
An essay on how the two long-standing schools of vulnerability handling are buckling under AI. The first is coordinated disclosure: report privately, give vendors a 90-day window, ship the fix before the world notices. The second, common in the Linux kernel, is 'bugs are bugs' — fix things fast and don't draw attention. Kaufman argues both rest on assumptions that AI has invalidated.
How does it work?
He walks through the Copy_Fail2 incident from the week of May 1: Hyunwoo Kim shared a quiet patch the same day a flaw was discovered, but a third party noticed the change, recognised the implications, and went public, ending the embargo early. He then points to ESP, where Kuan-Ting Chen independently re-discovered the same flaw nine hours after Kim. Kaufman's claim: AI commit scanners and code analysis make this kind of parallel rediscovery cheap and routine, so any embargo longer than 'hours' leaks.
Why does it matter?
Kaufman proposes embargoes that start very short and shrink further over time, on the theory that defenders also get AI. The piece is the lead AI-security discussion on Hacker News today (365 points), and the framing — that disclosure norms are now an AI-pacing question — is starting to ripple into Linux kernel and OpenSSF debates.
Who is it for?
Security engineers, kernel maintainers, anyone setting disclosure policy.
Try it
Read at jefftk.com/p/ai-is-breaking-two-vulnerability-cultures