On 4/29/26 13:22, Willy Tarreau wrote: > On Tue, Apr 28, 2026 at 10:18:08PM -0500, Jacob Bachmeyer wrote: >> On 4/28/26 09:58, Jeremy Stanley wrote: >>> I'm sorely tempted, both due to the increased volume and the risk of >>> premature disclosure, to just assume that any vulnerability reported as >>> a result of research using an LLM is trivially discoverable by others, >>> and give up trying to pretend there's any point to working it under >>> embargo. >> >> You are correct here: you should assume that any LLM will give a similar >> result to another person who asks a similar question. In other words, >> LLM-discovered vulnerabilities should be considered already publicly known. > > I'm increasingly doing that myself already, and predicted the death of > embargoes a serveral months ago. Now I just remove unneeded details from > commit messages, merging and issue releases to keep users protected. > > Embargoes now play against security, for all the time we don't act, > users stay exposed to anyone having the luck to find the same problem. > It's not a matter of the LLM's strength but a matter of determination > by the researcher who could simply run a small model several times > helping it dig further. Bigger models just find faster, but that only > counts for those seeking protection, not for those trying to attack.
I wonder if some projects will abandon releases altogether and switch to a "use the latest commit from the dev branch" model. -- Sincerely, Demi Marie Obenour (she/her/hers)
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
