Talk Around Town: One Engineer Claims LLMs Have Killed the Magic of Bug Disclosure

What Folks Are Hollerin' About

Well, grab your sweet tea and pull up a lawn chair, because somebody done lobbed a lit bottle rocket into the security-research barn.

Filippo Valsorda — former lead of the Go Security team and a fella with genuine credibility in these parts — published a post on his personal blog arguing that the whole coordinated vulnerability disclosure tradition has about as much structural integrity as a screen door on a submarine.

Valsorda argues on his blog that LLMs are now as capable as almost any security researcher at finding bugs, and that since both defenders and attackers can fire up the same models, the scarce insider insight that once made a well-timed vuln report genuinely valuable has dried up like a creek bed in August.

He also contends, according to his blog post, that the classic confidentiality embargo no longer provides a meaningful protection window, because any attacker can simply query their own model rather than wait around for a full-disclosure write-up to drop.

The Signal-to-Noise Ruckus He's Kicking Up

Valsorda doesn't stop there — he argues on his blog that the real bottleneck in modern vulnerability management has shifted away from finding potential issues and over to figuring out which ones actually matter.

According to his blog post, sorting through a security@ inbox produces roughly the same signal-to-noise ratio as sifting through what an LLM spits out, which is a comparison that'll make any overworked security team feel either deeply understood or profoundly unsettled.

Now, there is some real-world kindling under this particular fire: a specialist report from Hadrian.io documents LLM-based offensive tools achieving meaningful penetration-test results at surprisingly low cost, with one benchmark showing an AI agent compromising four of five Active Directory hosts for roughly $28 in API fees, according to Hadrian.io.

And the raw CVE numbers are genuinely staggering — over 48,000 CVEs were published in 2025, roughly 130 per day, pushing the cumulative total above 300,000, with FIRST projecting the median annual count could hit around 59,000 in 2026, according to CSO Online and Security Boulevard.

What We Actually Know for Certain

Here's what you can nail to the barn wall without it falling off: CVE volume is exploding, offensive AI tools are getting cheaper and more capable according to Hadrian.io's reporting, and the triage problem facing security teams is real and well-documented by CSO Online and Security Boulevard.

Researchers at FIRST's VulnCon 2026 noted that many high-impact vulnerabilities first surface through real-world exploitation rather than coordinated disclosure, which suggests the classic CVD pipeline already had structural gaps before anyone said the word 'LLM,' according to the VulnCon program.

The EU Cyber Resilience Act is set to take effect in September 2026, and it legally requires manufacturers to notify ENISA of actively exploited vulnerabilities within 24 hours and maintain formal coordinated disclosure policies — a regulatory move that runs smack contrary to any notion that CVD norms are fading away.

What Ain't Been Nailed Down Yet

Here's where the mud gets thick: Valsorda's central contention — that LLMs are now as good as almost any security researcher at finding bugs — is a claim from a single personal blog post with no independent expert corroboration backing that specific assertion.

Peer-reviewed research presented at ICSE 2026 draws a considerably less flattering portrait, finding that LLM capability in vulnerability discovery has stalled and that these models operate at a shallow level comparable to simple code-metric classifiers — meaning a basic numerical analysis of your codebase may do just as well, which is a hell of a thing to hear if you've been paying premium API rates.

No second independent expert has publicly endorsed the specific thesis that traditional coordinated disclosure norms are now obsolete, and the broader security community at VulnCon 2026 was actively debating how to strengthen CVD frameworks rather than auction them off for scrap.

Our Analysis: Interesting Argument, Shaky Foundation

This is analysis, not reporting: Valsorda's post reads like the kind of provocation that security communities genuinely need — a smart person poking at a comfortable institution to see if it wobbles — but the load-bearing beam of his argument, that LLM bug-finding has reached near-human researcher quality, is contested by the best available peer-reviewed evidence.

The democratized-attack-capability half of his argument has more empirical support, given what Hadrian.io documents about cheap offensive AI tools, but 'attackers got cheaper' doesn't automatically mean 'coordinated disclosure is obsolete' — those are two different conclusions tied together with baling wire.

The EU Cyber Resilience Act is the biggest legal complication for Valsorda's thesis: regulators are not out here reading personal security blogs and spontaneously enshrining dying norms into binding law, so something about the institutional value of CVD apparently still passes the legislative smell test.

The most defensible read is that CVD is under genuine stress from multiple directions — volume, AI tooling, and exploitation-first discovery — but 'under stress' and 'obsolete' are about as similar as a bent fence post and a missing fence, and the difference matters quite a lot to anyone who still has to manage a vulnerability program on Monday morning.