oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Coordinated Disclosure in the LLM Age

From: Greg KH <greg () kroah com>
Date: Thu, 30 Apr 2026 15:48:17 +0200
On Wed, Apr 29, 2026 at 08:52:14PM +0200, Clemens Lang wrote:

Hi,


On 29. Apr 2026, at 05:18, Jacob Bachmeyer <jcb62281 () gmail com> wrote:


I'm sorely tempted, both due to the increased volume and the risk of premature disclosure, to just assume that any 
vulnerability reported as a result of research using an LLM is trivially discoverable by others, and give up 
trying to pretend there's any point to working it under embargo.


You are correct here:  you should assume that any LLM will give a similar result to another person who asks a 
similar question.  In other words, LLM-discovered vulnerabilities should be considered already publicly known.


As a further data point backing up this theory: We’re seeing duplicate reports of the same issue found by multiple 
independent groups that use LLMs, within the embargo period.


We (on the kernel) are seeing duplicate reports of the same issue from
different groups within the time period it takes to get a fix merged
(i.e. just within a few days).

thanks,

greg k-h
Previous By Date Next
Previous By Thread Next

Current thread: