Summarizer

Independent Discovery Frequency

ESP vulnerability was independently discovered by second researcher just nine hours after first report, demonstrating how AI acceleration makes simultaneous discovery common, undermining embargo rationale.

← Back to AI is breaking two vulnerability cultures

The discussion highlights how AI-driven tools have transformed vulnerability discovery from a specialized, manual skill into a systematic process, significantly narrowing the timeframe between independent reports. This acceleration suggests that traditional, lengthy embargoes are becoming an "illusion," as the likelihood of simultaneous discovery by multiple parties undermines the security window they are meant to provide. Furthermore, the breakdown of a once-exclusive "guild ethic" among researchers makes coordinated disclosure more difficult to maintain as discovery rates climb and the barrier to entry for exploitation drops. While some debate the formal scientific data behind these trends, there is a strong empirical consensus that the pace of unearthing vulnerabilities is increasing rapidly, fundamentally altering the cybersecurity landscape.

3 comments tagged with this topic

View on HN · Topics
> people were already diffing kernel commits and figuring out which ones were security fixes With skill, and usually not consistently and systematically. With AI, anyone can do this to any software. > not sure shorter embargoes really help Why 90 days versus 2 years? The author is arguing the factors that set that balance have shifted, given the frequency of simultaneous discovery. The embargo window isn’t an actual window, just an illusion, if the exploit is going to be found by several people outside the embargo anyway. > cheaper exploit generation probably makes coordinated disclosure more important I agree. But it also makes it less viable. If script kiddies can find and exploit zero days, the capacity to co-ordinate breaks down. There was always a guild ethic that drove white-hate (EDIT: hat) culture. If the guild is broken, the ethic has nothing to stand on.
View on HN · Topics
> How do you know? We know because we could see the effects of the average rate of vulnerabilities discovery and exploitation, and it's definitely going up very fast. Until recently, vulnerabilities were relatively hard to find, and finding them was done by a very restricted group of people world-wide, which made them quite valuable. Not any more.
View on HN · Topics
> You have moved from "We know" to "We have an educated guess" No. You kept blabbering about "science" when most uses of knowledge are not about science. The original topic was also definitely not "science": it was about having a reasonable opinion about whether, empirically, the rate of discovery of vulnerabilities is increasing or not.