oss-sec mailing list archives
Re: Coordinated Disclosure in the LLM Age
From: Willy Tarreau <w () 1wt eu>
Date: Tue, 12 May 2026 21:19:38 +0200
On Tue, May 12, 2026 at 01:40:16PM -0400, Demi Marie Obenour wrote:
On 4/29/26 13:22, Willy Tarreau wrote:On Tue, Apr 28, 2026 at 10:18:08PM -0500, Jacob Bachmeyer wrote:On 4/28/26 09:58, Jeremy Stanley wrote:I'm sorely tempted, both due to the increased volume and the risk of premature disclosure, to just assume that any vulnerability reported as a result of research using an LLM is trivially discoverable by others, and give up trying to pretend there's any point to working it under embargo.You are correct here: you should assume that any LLM will give a similar result to another person who asks a similar question. In other words, LLM-discovered vulnerabilities should be considered already publicly known.I'm increasingly doing that myself already, and predicted the death of embargoes a serveral months ago. Now I just remove unneeded details from commit messages, merging and issue releases to keep users protected. Embargoes now play against security, for all the time we don't act, users stay exposed to anyone having the luck to find the same problem. It's not a matter of the LLM's strength but a matter of determination by the researcher who could simply run a small model several times helping it dig further. Bigger models just find faster, but that only counts for those seeking protection, not for those trying to attack.I wonder if some projects will abandon releases altogether and switch to a "use the latest commit from the dev branch" model.
It brings more problems than solutions. Stable branches are a comfort both for users and for developers because it allows to make progress and take risks in a dev branch. When you only have a dev branch, you need to be super cautious and often it prevents you from making breaking changes that are nonetheless necessary. But there will always be a number of projects working like this, I just think that the changes in the bug reporting process will not change their choice. Willy
Current thread:
- Coordinated Disclosure in the LLM Age Jeremy Stanley (Apr 28)
- Re: Coordinated Disclosure in the LLM Age Greg Dahlman (Apr 28)
- Re: Coordinated Disclosure in the LLM Age Jacob Bachmeyer (Apr 28)
- Re: Coordinated Disclosure in the LLM Age Peter Gutmann (Apr 28)
- Re: Coordinated Disclosure in the LLM Age Willy Tarreau (Apr 29)
- Re: Coordinated Disclosure in the LLM Age Renaud Allard (Apr 29)
- Re: Coordinated Disclosure in the LLM Age Demi Marie Obenour (May 12)
- Re: Coordinated Disclosure in the LLM Age Willy Tarreau (May 12)
- Re: Coordinated Disclosure in the LLM Age Yves-Alexis Perez (May 15)
- Re: Coordinated Disclosure in the LLM Age Greg KH (May 15)
- Re: Coordinated Disclosure in the LLM Age Santiago Ruano Rincón (May 15)
- Re: Coordinated Disclosure in the LLM Age Greg KH (May 16)
- Re: Coordinated Disclosure in the LLM Age Demi Marie Obenour (May 15)
- Re: Coordinated Disclosure in the LLM Age Greg KH (Apr 30)
- Re: Coordinated Disclosure in the LLM Age Douglas Bagnall (May 21)
- Re: Coordinated Disclosure in the LLM Age Jeremy Stanley (Apr 29)