Jeff Kaufman: AI simultaneously breaks two cybersecurity vulnerability cultures, and the 90-day embargo becomes counterproductive

Software engineer Jeff Kaufman (jefftk) published an article on May 8 titled “AI is Breaking Two Vulnerability Cultures,” arguing that AI is breaking two long-standing, coexisting cybersecurity vulnerability-handling cultures—coordinated disclosure and “bugs are bugs”—undermining the assumption that attackers have “slow detection” and that both strategies rely on, which has already been overcome by AI automated scanning technology. Kaufman’s original blog post also earned over 200 points of heat on Hacker News and is one of the most-discussed security observation articles in the developer community this week.

Two vulnerability cultures: coordinated disclosure vs “bugs are bugs”

The two cultural frameworks Kaufman lays out:

Coordinated disclosure—discoverers privately notify maintainers, are given a typical 90-day patch window, and then publicly disclose. The underlying assumption: attackers need time to independently find the same vulnerability.

“Bugs are Bugs” silent patching—common practice in open-source projects like Linux. Patches are not specifically flagged as security fixes; security patches are “drowned” via submission volume, and attempts are made to avoid drawing attackers’ attention.

These two cultures could coexist in the past because attackers lacked “fast, automatic, low-cost” tools to scan all submission records or search for the same vulnerability at the same time. AI changes this premise.

AI’s impact on “silent patching”: commit scanning gets cheap

The concrete impact of AI on Linux-style open-source projects:

Past: Attackers needed to review commits one by one, requiring lots of manpower and time; “drowning in submission volume” was an effective cover.

Now: AI can scan commit history at low cost and automatically identify commits that “look like security patches,” even if the author never explicitly says so.

Impact: The stealth of silent patching is quickly losing its effectiveness, and the buffer period between “patching” and “deployment” is being compressed.

Kaufman cites a specific case: “examining commits” is increasingly attractive, because AI’s assessment of every change is “getting cheaper and cheaper, and increasingly effective.” This means that in the future, open-source projects can no longer rely on the traditional advantage that patching speed stays ahead of attackers’ attention.

AI’s impact on coordinated disclosure: the 90-day embargo becomes counterproductive

The core of coordinated disclosure is the “embargo,” where discoverers commit to not publishing until maintainers can patch—but AI allows multiple teams to scan the same vulnerability in parallel:

Specific case: a vulnerability reported by researcher Hyunwoo Kim was discovered independently just 9 hours later.

Multiple AI-assisted scanning teams can operate in sync; a long embargo period instead creates a “false sense of non-urgency.”

If others can find it in 9 hours, a 90-day embargo gives real attackers an attack window of 89 days and 23 hours.

Kaufman’s conclusion is that the future should adopt “very short embargoes,” and as AI capabilities improve, the embargoes should shrink even further. What matters is that AI-accelerated dynamics are not unilaterally beneficial to attackers—defenders can also use AI to accelerate patching and deployment, and both sides compete within the compressed time window.

Specific follow-up events to watch: whether major projects like the Linux Kernel and Project Zero update their disclosure-timing guidelines; the progress toward commercialization of AI-based vulnerability scanning tools (Semgrep, CodeQL, etc.); and how corporate security teams respond in specific terms to the “AI-accelerated double-edged sword.”

This article, “Jeff Kaufman: AI breaks two vulnerability-handling cultures at the same time, and a 90-day embargo becomes counterproductive,” first appeared on Chain News ABMedia.