Jeff Kaufman — AI Is Breaking Two Vulnerability Disclosure Cultures

AI relevance: AI models like Gemini 3.1 Pro, GPT-5.5, and Claude Opus 4.7 can now identify security patches from raw kernel diffs instantly, accelerating both attacker and defender vulnerability discovery and undermining the assumptions behind both coordinated disclosure and the Linux kernel's "bugs are bugs" culture.

The Story

Jeff Kaufman published an analysis of how AI-accelerated vulnerability discovery is disrupting two established disclosure cultures simultaneously:

• Coordinated disclosure culture — where researchers report privately to vendors with a fixed embargo window (often 90 days), assuming few others will independently find the same bug during that period.
• "Bugs are bugs" culture — common in the Linux kernel, where security fixes are merged quietly in the open, relying on the noise of thousands of daily commits to obscure which changes are security-relevant.

Both models assumed human-speed detection. AI changes that calculus:

• AI scanning of public commit diffs now has a high signal-to-noise ratio — security fixes are obvious when an LLM evaluates them.
• Kaufman tested Gemini 3.1 Pro, ChatGPT-Thinking 5.5, and Claude Opus 4.7: all three immediately identified the Copy Fail ESP fix (commit f4c50a403) as security-relevant.
• In the Copy Fail 2 case, two independent researchers (Hyunwoo Kim and Kuan-Ting Chen) reported the same ESP vulnerability just nine hours apart — evidence that AI-assisted scanning is compressing the window between discovery reports.
• Copy Fail 2 ("Electric Boogaloo") achieves unprivileged local privilege escalation via xfrm ESP-in-UDP MSG_SPLICE_PAGES, writing to any readable file — confirmed root on Ubuntu 24.04, Debian 13, Arch, Fedora 43, and Ubuntu 26.04 LTS.

Why It Matters

• Embargoes create false security: The assumption that "only the vendor knows" during a 90-day window no longer holds when AI teams are scanning commits and diffs continuously.
• Quiet kernel fixes no longer work: AI can filter the noise of thousands of commits and flag security-relevant changes in real time — the "hiding in plain sight" strategy is dead.
• Defenders can move faster too: AI-assisted patch analysis means organizations can triage and deploy fixes within hours instead of weeks, enabling shorter embargo windows that were previously impractical.

What to Do

• Shift from long embargoes to short (days, not months) coordinated disclosure windows matched to AI-accelerated patch deployment.
• Assume any merged security fix will be identified and weaponized within hours, not weeks — prioritize rapid patching over secrecy.
• Deploy AI-assisted commit scanning on your own dependency tree to detect upstream security fixes before public advisories arrive.

Sources

• Jeff Kaufman — AI is Breaking Two Vulnerability Cultures
• Copy Fail 2: Electric Boogaloo — PoC repo
• Copy Fail 2 write-up (V4bel)
• Kernel commit f4c50a403 — upstream fix