On Tue, May 12, 2026 at 01:40:16PM -0400, Demi Marie Obenour wrote: > On 4/29/26 13:22, Willy Tarreau wrote: > > On Tue, Apr 28, 2026 at 10:18:08PM -0500, Jacob Bachmeyer wrote: > >> On 4/28/26 09:58, Jeremy Stanley wrote: > >>> I'm sorely tempted, both due to the increased volume and the risk of > >>> premature disclosure, to just assume that any vulnerability reported as > >>> a result of research using an LLM is trivially discoverable by others, > >>> and give up trying to pretend there's any point to working it under > >>> embargo. > >> > >> You are correct here: you should assume that any LLM will give a similar > >> result to another person who asks a similar question. In other words, > >> LLM-discovered vulnerabilities should be considered already publicly known. > > > > I'm increasingly doing that myself already, and predicted the death of > > embargoes a serveral months ago. Now I just remove unneeded details from > > commit messages, merging and issue releases to keep users protected. > > > > Embargoes now play against security, for all the time we don't act, > > users stay exposed to anyone having the luck to find the same problem. > > It's not a matter of the LLM's strength but a matter of determination > > by the researcher who could simply run a small model several times > > helping it dig further. Bigger models just find faster, but that only > > counts for those seeking protection, not for those trying to attack. > > I wonder if some projects will abandon releases altogether and switch > to a "use the latest commit from the dev branch" model.
It brings more problems than solutions. Stable branches are a comfort both for users and for developers because it allows to make progress and take risks in a dev branch. When you only have a dev branch, you need to be super cautious and often it prevents you from making breaking changes that are nonetheless necessary. But there will always be a number of projects working like this, I just think that the changes in the bug reporting process will not change their choice. Willy
