AI disrupts coordinated vulnerability disclosure and bug-fix cultures

The traditional approaches to software vulnerability management are being upended by AI's ability to rapidly find and analyze security flaws. Two dominant cultures have long coexisted: coordinated disclosure, where researchers privately report bugs to maintainers with a 90-day window for fixes, and the Linux-style 'bugs are bugs' culture that quietly patches issues without drawing attention. AI now undermines both. With AI-assisted groups scanning codebases, vulnerabilities are discovered much faster—in one case, the same ESP flaw was independently reported by Kuan-Ting Chen just nine hours after researcher Kim's initial report. This makes long embargoes risky, as they create false security and limit who can work on fixes. Meanwhile, the high volume of AI-generated security patches increases the signal-to-noise ratio for attackers examining commits, making it easier to identify exploitable fixes. The author suggests very short embargoes, enabled by AI tools that can speed up defenders, as a potential solution. A quick test using Gemini 3.1 Pro, ChatGPT-Thinking 5.5, and Claude Opus 4.7 on a sample commit showed varying ability to identify security patches from diffs alone, illustrating the growing capability of AI in this domain.