oss-sec mailing list archives

Re: Coordinated Disclosure in the LLM Age

From: Douglas Bagnall <douglas.bagnall () catalyst net nz>
Date: Thu, 21 May 2026 15:13:40 +1200

On 30/04/2026 06:52, Clemens Lang wrote:

In other words, LLM-discovered vulnerabilities should be considered already publicly known.


As a further data point backing up this theory: We’re seeing duplicate reports of the same issue found by multiple 
independent groups that use LLMs, within the embargo period.

In Samba we see maybe a third of valid security bugs being reported morethan once. So far I think the invalid ones are all invalid in their ownways.

There is a counter-argument in favour of coordinated fixes, if notdisclosure, in that LLMs make it easier to create an exploit from apatch or announcement. This means simultaneous patching is moreimportant, to the extent we worry about opportunistic low-skill attacks.

Perhaps much depends on deployment. There are engineers here whosefull-time job seems to be planning openstack upgrades, yet theirworkstations will update curl or evince without interaction. It mightnot be that all these projects should have the same security process.

Samba is continuing to muddle along more or less as before, though withan eye to streamlining things.


Douglas

Current thread:

Re: Coordinated Disclosure in the LLM Age, (continued)
- - - Re: Coordinated Disclosure in the LLM Age Renaud Allard (Apr 29)
    - Re: Coordinated Disclosure in the LLM Age Demi Marie Obenour (May 12)
    - Re: Coordinated Disclosure in the LLM Age Willy Tarreau (May 12)
    - Re: Coordinated Disclosure in the LLM Age Yves-Alexis Perez (May 15)
    - Re: Coordinated Disclosure in the LLM Age Greg KH (May 15)
    - Re: Coordinated Disclosure in the LLM Age Santiago Ruano Rincón (May 15)
    - Re: Coordinated Disclosure in the LLM Age Greg KH (May 16)
    - Re: Coordinated Disclosure in the LLM Age Demi Marie Obenour (May 15)
  - Re: Coordinated Disclosure in the LLM Age Clemens Lang (Apr 29)
    - Re: Coordinated Disclosure in the LLM Age Greg KH (Apr 30)
    - Re: Coordinated Disclosure in the LLM Age Douglas Bagnall (May 21)
- Re: Coordinated Disclosure in the LLM Age Lucas Holt (Apr 29)
  - Re: Coordinated Disclosure in the LLM Age Jeremy Stanley (Apr 29)
  - Re: Coordinated Disclosure in the LLM Age Brian May (Apr 29)
- Re: Coordinated Disclosure in the LLM Age Tim Shephard (May 11)
  - Sv: Coordinated Disclosure in the LLM Age Markus Klyver (May 15)
    - Sv: Coordinated Disclosure in the LLM Age ROI AI (May 15)
- Re: Coordinated Disclosure in the LLM Age Alan Coopersmith (May 20)
  - Re: Coordinated Disclosure in the LLM Age ROI AI (May 21)
    - Re: Coordinated Disclosure in the LLM Age ROI AI (May 21)