[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <3CD03E7B-92A9-4C32-AC58-E811FB8A43A6@redhat.com>
Date: Wed, 29 Apr 2026 20:52:14 +0200
From: Clemens Lang <cllang@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: Coordinated Disclosure in the LLM Age
Hi,
> On 29. Apr 2026, at 05:18, Jacob Bachmeyer <jcb62281@...il.com> wrote:
>
>> I'm sorely tempted, both due to the increased volume and the risk of premature disclosure, to just assume that any vulnerability reported as a result of research using an LLM is trivially discoverable by others, and give up trying to pretend there's any point to working it under embargo.
>
> You are correct here: you should assume that any LLM will give a similar result to another person who asks a similar question. In other words, LLM-discovered vulnerabilities should be considered already publicly known.
As a further data point backing up this theory: We’re seeing duplicate reports of the same issue found by multiple independent groups that use LLMs, within the embargo period.
--
Clemens Lang
RHEL Crypto Team
Red Hat
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
