Vulnerability reports are not special anymore

337 points · 191 comments on HN · read original →

Points and comments are a snapshot, not live.

LLMs have made vulnerability insight abundant, ending the special treatment of security reports.

Filippo Valsorda argues that LLMs have democratized vulnerability discovery, making insight and confidentiality less scarce. Security researchers' contributions are now often indistinguishable from LLM-generated noise, and attackers can find bugs just as easily. Triage and rapid remediation, not accommodating reporters, are the key tasks. He notes that some high-severity reports from trusted sources remain special, and that projects may need to classify reports rapidly. The post was written in 2026 and includes discussion of the author's experience as Go security lead.

What commenters are saying

Commenters overwhelmingly confirm a flood of low-quality AI-generated vulnerability reports, with some receiving 2-5 per week. Many are spam or extortion attempts. One commenter suggests requiring a small payment to deter spammers, while another notes a filter already helps. A minority argue that legitimate reports should still be treated seriously, but the thread's center of gravity is that the volume of noise undermines coordinated disclosure. The consensus is that the era of privileged vulnerability reports is over, and banning bad actors is now feasible.