The 90 day disclosure policy is dead (blog.himanshuanand.com)

submitted 1 week ago by cm0002@toast.ooo to c/linux@programming.dev

5 comments fedilink hide all child comments

Article on the new wave of AI-generated bug reports, and how patches are quickly turned into exploits with automation assistance.

There are really plenty of them, including in commercial software - Firefox has for April twenty times more security bugs reported than normal.

I can't tell how dramatic this is really. Maybe this is being cooked a tad hotter than it is eaten. Some reports on AI capabilities are basically clever marketing - or even outright misleading.

What is clear is that distros will need to fix more bugs, and it will take some time until most uncovered bugs are fixed.

Users will need to update more frequently.

Frugal configurations might become even more attractive.

Who is in for a bad time are probably vendors and users of "connected" devices which were never designed to be updated. Every Smart TV, Amazon Echo, "Smart" home device, or "Smart" toothbrush will likely become open to black hats or enemies of peace and democracy which invade your home network. Including medical stuff...

Some devices should probablybe put in a Farady cage - say anything that would be able to start a fire.

top 5 comments

sorted by: hot top controversial new old

[-] renegadespork@lemmy.jelliefrontier.net 10 points 1 week ago

There is definitely some truth to this, but I suspect these numbers are inflated quite a bit by all the BS LLM-generated bug reports.

[-] Fizz@lemmy.nz 5 points 1 week ago

https://hacks.mozilla.org/2026/05/behind-the-scenes-hardening-firefox/

Firefox security team has gone over verified and patched all these bugs. They used to do 30 a month and then they got access to mythos and found 70 bugs then last month they found 423

I really worry for developers if they are going to get bombarded with hundreds of "P0" incidents that must be fixed immediately. The pressure on developers is bad enough as is.

[-] GamingChairModel@lemmy.world 3 points 1 week ago

One real concern I have is that there are now automated tools that can read a patch, and the maintainer's release notes with a description of a security vulnerability fixed by that patch, and then create a working exploit of the pre-patch vulnerability.

In that particular moment, you know that a vulnerability exists and that it was serious enough to be described in release notes, and you can compare two code versions, one that is secure and one that is not. From there, any AI coding agent is working towards something that definitely exists, with a bunch of description of what it might be.

So that means that the window between when a patch is released and when users actually apply that patch is going to be more important than ever. Downstream maintainers will be under a lot of time pressure to implement changes from upstream, because every new security patch will create a race to create 1-day exploits for everyone using that software.

[-] Fizz@lemmy.nz 2 points 1 week ago

Open source is going to need to move slower I think. They won't be able to take advantage of ai to speed up development because there is a bigger risk for pushing a bad release.

[-] CodeMonkey@programming.dev 3 points 1 week ago

I am curious about what will happen next month. Will Mythos find 500-1000 new bugs or will Mozilla have fixed every bug pattern Mythos knows and they will get few if any additional bugs? Will Mythos start hallucinating bugs or suggesting exploits that require an impossible coincidence to occur?

this post was submitted on 14 May 2026

36 points (95.0% liked)

Linux

13744 readers

370 users here now

A community for everything relating to the GNU/Linux operating system (except the memes!)

Also, check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 2 years ago

MODERATORS

Ategon@programming.dev

anzo@programming.dev

dwraf_of_ignorance@programming.dev