On 30/04/2026 06:52, Clemens Lang wrote:
In other words, LLM-discovered vulnerabilities should be considered already
publicly known.
As a further data point backing up this theory: We’re seeing duplicate reports
of the same issue found by multiple independent groups that use LLMs, within
the embargo period.
In Samba we see maybe a third of valid security bugs being reported more
than once. So far I think the invalid ones are all invalid in their own
ways.
There is a counter-argument in favour of coordinated fixes, if not
disclosure, in that LLMs make it easier to create an exploit from a
patch or announcement. This means simultaneous patching is more
important, to the extent we worry about opportunistic low-skill attacks.
Perhaps much depends on deployment. There are engineers here whose
full-time job seems to be planning openstack upgrades, yet their
workstations will update curl or evince without interaction. It might
not be that all these projects should have the same security process.
Samba is continuing to muddle along more or less as before, though with
an eye to streamlining things.
Douglas
