Jeff Kaufman published an analysis on May 8, 2026, examining how AI is simultaneously breaking two established approaches to vulnerability disclosure in software security. The analysis argues that both coordinated disclosure and "bugs are bugs" strategies are becoming ineffective as AI tools enable rapid vulnerability detection in code changes.
Two Disclosure Models Under Pressure
The security community has traditionally relied on two main approaches:
- Coordinated Disclosure: Privately notify maintainers and allow time (typically 90 days) for fixes before public disclosure
- "Bugs are Bugs": Fix problems quickly and openly without drawing attention, relying on the volume of changes to obscure security patches
Kaufman's core argument: "So many security fixes are coming out now that examining commits is much more attractive" because AI can efficiently detect vulnerabilities in code changes. This undermines the "bugs are bugs" strategy while making traditional embargoes less effective.
Real-World Example: Copy Fail Vulnerability
The Copy Fail vulnerability demonstrated this problem in practice. A developer shared a fix on the same day the vulnerability was discovered. Within nine hours, another person "noticed the change, realized the security implications, and shared it publicly." Separately, just nine hours after Kim reported the ESP vulnerability, Kuan-Ting Chen independently reported the same issue.
These parallel discoveries highlight how AI tools enable multiple independent researchers to identify the same vulnerability within hours, making coordinated disclosure windows increasingly difficult to maintain.
Proposed Solution: Progressively Shorter Embargoes
Kaufman proposes "very short embargoes" that progressively shorten over time. This approach would leverage AI's capability to accelerate defensive responses alongside offensive vulnerability detection, acknowledging that disclosure windows must adapt to the new reality of AI-assisted security research.
The analysis generated significant discussion on Hacker News, garnering 220 points and 96 comments, indicating strong community resonance with the challenges facing traditional security disclosure practices.
Key Takeaways
- AI tools are breaking both coordinated disclosure (90-day embargoes) and "bugs are bugs" (quiet fixes) vulnerability disclosure strategies
- Multiple independent researchers using AI can now discover the same vulnerability within hours of a code commit
- The Copy Fail vulnerability was independently discovered and disclosed by two researchers within nine hours
- Security expert Jeff Kaufman proposes progressively shorter embargoes as AI accelerates both offensive and defensive security capabilities
- The analysis received 220 points and 96 comments on Hacker News, reflecting widespread community concern about evolving disclosure practices