Two long-standing security disclosure cultures are colliding with AI-accelerated vulnerability hunting, and according to Hacker News, neither side is holding up well. The trigger: a recent Linux kernel flaw called Copy Fail, where engineer Hyunwoo Kim shipped a quiet patch following standard kernel practice. Within hours, someone spotted the commit, recognized the security implications, and broke the unofficial embargo wide open.
This isn’t just inside baseball for kernel maintainers. It’s a preview of how vulnerability disclosure has to change now that AI can read every commit faster than humans can hide them.
The Two Cultures, Briefly
Most of the security industry runs on coordinated disclosure. You find a bug, tell the vendor privately, and give them roughly 90 days to ship a fix before going public. The bet: nobody else stumbles onto the hole during that window.
Linux networking, where Copy Fail lived, runs on a different model. Call it the bugs-are-bugs approach. Fix it fast, fix it in the open, don’t draw attention. The reasoning: any kernel misbehavior could theoretically be weaponized, so silently shipping fixes and trusting the noise floor of thousands of daily commits to bury the signal is safer than dramatic announcements.
Both approaches assumed something that’s no longer true: that attackers can’t read every commit and infer security impact at machine speed.
What AI Just Broke
Hacker News reports that nine hours after Kim filed his ESP vulnerability report, Kuan-Ting Chen independently reported the same flaw. Nine hours. The 90-day embargo window now contains roughly 240 independent rediscovery cycles at that pace.
The “hide in the noise” model is in worse shape. When AI can scan every kernel commit and flag the ones that smell like security fixes, signal-to-noise inverts. The author tested three frontier models on the actual Copy Fail commit. Given full context, Gemini 3.1 Pro, ChatGPT-Thinking 5.5, and Claude Opus 4.7 all flagged it as a security patch immediately. Even with just the raw diff, two of three correctly suspected security relevance.
This is significant because it means the economics of commit-scanning have flipped. What used to cost an attacker a senior reverse engineer’s afternoon now costs pennies in API calls.
What Should Change
The author’s conclusion: embargoes need to get much shorter, and they’ll need to keep shrinking. Long disclosure windows now create a false sense of non-urgency while limiting how many defenders can work the problem. The flip side is that AI also accelerates defenders, making genuinely short embargoes practical where they used to be useless.
For practitioners and security teams, a few takeaways stand out:
- Treat 90-day embargoes as legacy. If your vuln management plan assumes attackers won’t notice during a long fix window, stress-test that assumption.
- Patch latency is the new metric. The gap between fix-available and fix-deployed matters more than ever, because attackers now have AI watching the same commit feeds you do.
- Invest in AI-assisted defense. Commit triage, patch analysis, and exposure scanning are where the asymmetry can be rebalanced. If attackers are running models on your patches, you should be too.
- Maintainers should expect rediscovery. If two researchers can hit the same bug in nine hours, plan disclosure timelines and customer communications around that reality, not around a 2015 threat model.
What Comes Next
Expect disclosure norms to fragment over the next two years. Some projects will move toward near-instant public disclosure paired with rapid automated patching pipelines. Others will tighten access to the closed lists where embargoes still hold, betting on smaller trust circles. Linux’s bugs-are-bugs school may have to formalize parts of what was previously informal, simply because informal cover is gone.
The deeper shift here is that vulnerability disclosure was always a coordination game played at human speed. AI just made it a game played at machine speed, and the rulebooks haven’t caught up. Full details are at the original Hacker News discussion.