On Wed, Apr 29, 2026 at 08:52:14PM +0200, Clemens Lang wrote: > Hi, > > > On 29. Apr 2026, at 05:18, Jacob Bachmeyer <[email protected]> wrote: > > > >> I'm sorely tempted, both due to the increased volume and the risk of > >> premature disclosure, to just assume that any vulnerability reported as a > >> result of research using an LLM is trivially discoverable by others, and > >> give up trying to pretend there's any point to working it under embargo. > > > > You are correct here: you should assume that any LLM will give a similar > > result to another person who asks a similar question. In other words, > > LLM-discovered vulnerabilities should be considered already publicly known. > > As a further data point backing up this theory: We’re seeing duplicate > reports of the same issue found by multiple independent groups that use LLMs, > within the embargo period.
We (on the kernel) are seeing duplicate reports of the same issue from different groups within the time period it takes to get a fix merged (i.e. just within a few days). thanks, greg k-h
