AI is breaking two vulnerability cultures

Original Article ↗ Hacker News Discussion ↗

AI and Vulnerability Discovery

  • Many argue AI mostly accelerates an old pattern: attackers already diffed commits and patches; now it’s cheaper, faster, and more systematic.
  • Others see a qualitative shift: “anyone can do this to any software,” so every public patch effectively discloses a vulnerability, even without explicit advisories.
  • Some predict that any inspectable code (including via decompilation) will soon have its vulnerabilities rapidly surfaced by AI-driven analysis.

Disclosure, Embargoes, and Patch Practices

  • The traditional gap between patch and public disclosure is seen as collapsing: once a fix lands, AI-assisted attackers can often reconstruct the bug and exploit.
  • Opinions diverge on timelines: some defend long (e.g., 90‑day) windows for complex fixes; others advocate very short deadlines (days) or full/near‑instant disclosure so users can protect themselves.
  • Coordinated disclosure norms are criticized as outdated, built on a “false sense of security” that patches aren’t already disclosures.

Stable vs Fast-Moving Software Ecosystems

  • One view: “slow and steady” distributions may become untenable if anything not-latest is trivial to exploit.
  • Counterpoint: stable branches with only security backports may be easier to auto‑patch at scale and become safer over time, though maintainers may need to shorten support lifetimes.

Use of AI for Defense and Automation

  • Suggested uses: scanning every commit/diff, generating candidate patches, rapidly building and shipping security releases, and doing organization‑wide architecture analysis.
  • Practitioners report mixed results: AI often finds real issues and proposes some good fixes, but also produces incorrect patches requiring expert review.
  • Some think full AI‑driven pipelines (hour‑scale MTTP) are possible; others see current models as unreliable “slot machines.”

Security Posture and Architectural Responses

  • Emphasis on layered defenses: firewalls, reduced attack surface, disabling rarely used features, segmentation, hardware-backed key isolation, and VM‑based compartmentalization.
  • Some argue closed-source SaaS or server-side architectures may gain relative advantage; others note strong reversing tools and code leaks limit obscurity.

Debates and Uncertainties

  • Disagreement over whether rising vulnerability counts are due more to better discovery (including AI) or more “sloppy” AI-assisted code.
  • Some predict a temporary attacker advantage until AI helps defenders clear most exploitable bugs; others call such extrapolations highly speculative.