oss-sec mailing list archives

Re: Coordinated Disclosure in the LLM Age

From: Clemens Lang <cllang () redhat com>
Date: Wed, 29 Apr 2026 20:52:14 +0200

Hi,

On 29. Apr 2026, at 05:18, Jacob Bachmeyer <jcb62281 () gmail com> wrote:

I'm sorely tempted, both due to the increased volume and the risk of premature disclosure, to just assume that any 
vulnerability reported as a result of research using an LLM is trivially discoverable by others, and give up trying 
to pretend there's any point to working it under embargo.


You are correct here:  you should assume that any LLM will give a similar result to another person who asks a similar 
question.  In other words, LLM-discovered vulnerabilities should be considered already publicly known.


As a further data point backing up this theory: We’re seeing duplicate reports of the same issue found by multiple 
independent groups that use LLMs, within the embargo period.

-- 
Clemens Lang
RHEL Crypto Team
Red Hat

Current thread:

Re: Coordinated Disclosure in the LLM Age, (continued)
- - Re: Coordinated Disclosure in the LLM Age Peter Gutmann (Apr 28)
  - Re: Coordinated Disclosure in the LLM Age Willy Tarreau (Apr 29)
    - Re: Coordinated Disclosure in the LLM Age Renaud Allard (Apr 29)
    - Re: Coordinated Disclosure in the LLM Age Demi Marie Obenour (May 12)
    - Re: Coordinated Disclosure in the LLM Age Willy Tarreau (May 12)
    - Re: Coordinated Disclosure in the LLM Age Yves-Alexis Perez (May 15)
    - Re: Coordinated Disclosure in the LLM Age Greg KH (May 15)
    - Re: Coordinated Disclosure in the LLM Age Santiago Ruano Rincón (May 15)
    - Re: Coordinated Disclosure in the LLM Age Greg KH (May 16)
    - Re: Coordinated Disclosure in the LLM Age Demi Marie Obenour (May 15)
  - Re: Coordinated Disclosure in the LLM Age Clemens Lang (Apr 29)
    - Re: Coordinated Disclosure in the LLM Age Greg KH (Apr 30)
    - Re: Coordinated Disclosure in the LLM Age Douglas Bagnall (May 21)
- Re: Coordinated Disclosure in the LLM Age Lucas Holt (Apr 29)
  - Re: Coordinated Disclosure in the LLM Age Jeremy Stanley (Apr 29)
  - Re: Coordinated Disclosure in the LLM Age Brian May (Apr 29)
- Re: Coordinated Disclosure in the LLM Age Tim Shephard (May 11)
  - Sv: Coordinated Disclosure in the LLM Age Markus Klyver (May 15)
    - Sv: Coordinated Disclosure in the LLM Age ROI AI (May 15)
    - Sv: Coordinated Disclosure in the LLM Age Markus Klyver (May 22)
    - Sv: Coordinated Disclosure in the LLM Age ROI AI (May 24)

(Thread continues...)