← Back to Blog

AI Is Breaking Two Vulnerability Cultures: What Copy Fail Teaches Us

Published: May 9, 2026 | Updated: May 9, 2026

Table of Contents

The Incident: Copy Fail and the Broken Embargo

In early May 2026, a critical Linux kernel networking vulnerability known as Copy Fail was discovered. The vulnerability (CVE pending) allowed local privilege escalation through a flaw in the kernel's networking subsystem, affecting virtually every Linux distribution.

Security researcher Hyunwoo Kim reported the bug through standard coordinated disclosure channels. He shared the impact with a closed list of Linux kernel security engineers, then committed a quiet fix — a single, innocuous-looking patch that fixed the bug without mentioning its security implications. This is the classic "bugs are bugs" approach: fix it fast, publish the diff, and hope nobody notices the security angle.

It worked for about nine hours.

Kuan-Ting Chen independently rediscovered the same vulnerability and reported it through a different channel. Less than a day later, someone noticed Kim's commit, understood it was a security fix, and published the full exploit details publicly. The embargo collapsed.

This story wouldn't be remarkable — embargoes break all the time — except for one thing: the timeline is compressed in a way that's only possible with AI.

Two Vulnerability Cultures in Collision

Jeff Kaufman's excellent essay "AI Is Breaking Two Vulnerability Cultures" (72 points on Hacker News in 2 hours) identifies two competing approaches to vulnerability disclosure:

1. Coordinated Disclosure Culture

The dominant approach in mainstream computer security. When you find a bug, you report it privately to the maintainers and give them a fixed window (typically 90 days) to create and deploy a fix. Only after the window expires do you go public. The theory: fixes ship before attackers know the hole exists.

This is how most commercial software vulnerabilities are handled — Google Project Zero's 90-day disclosure policy is the canonical example.

2. "Bugs Are Bugs" Culture

Especially common in the Linux kernel and other open source projects. The philosophy: if the code is doing something wrong, just fix it. Submit the patch through normal review channels. Don't draw attention to it. Most changes go unnoticed in the noise of thousands of commits. By the time someone reverse-engineers the exploit, most systems are already patched.

This approach relies on the signal-to-noise ratio of commits being low enough that security fixes blend in with regular maintenance.

Both approaches worked — imperfectly but adequately — for decades. AI changes both of them fundamentally.

Why AI Is the Accelerant

AI impacts vulnerability disclosure in two ways that make the old models unsustainable:

AI Makes Commits Transparent

The "bugs are bugs" approach depended on nobody noticing that a particular commit was a security fix. With hundreds of commits per day across the kernel, the probability that a human would spot the one fix for a critical networking bug was low.

AI changes this entirely. As Kaufman tested in his essay, all three major frontier models (Gemini 3.1 Pro, ChatGPT-Thinking 5.5, and Claude Opus 4.7) immediately recognized the Copy Fail commit as a security patch. Given just the raw diff without context, Gemini was "sure it was a security fix."

Running an LLM across every commit in a git log costs cents. Organizations and independent researchers can now automatically flag security-relevant commits as they land, blowing the "bugs are bugs" cover open.

AI Accelerates Vulnerability Discovery

The 90-day embargo model assumed that independent rediscovery within a disclosure window was rare. That assumption is dead. AI-assisted security scanning means multiple groups are likely to find the same vulnerability within hours or days of each other.

In the Copy Fail case, two independent researchers found the same bug within nine hours. That's not a coincidence — it's a preview of a world where any vulnerability that can be found will be found quickly by multiple actors simultaneously.

The Embargo Problem Nobody Wants to Talk About

Long embargoes are increasingly counterproductive. They create false urgency inversion: the people who know about a vulnerability assume they have weeks to fix it, when in reality the window for exclusive knowledge is measured in hours.

This has several consequences:

  • Patch velocity matters more than secrecy. A fix deployed in 24 hours is worth more than a perfect fix deployed in 30 days, because the window of exclusive knowledge is shrinking.
  • Embargoes limit the defender pool. Only the inner circle of security engineers can work on the fix. With AI allowing faster triage and patch generation, you want more eyes on the problem, not fewer.
  • False sense of safety. Teams relax because "it's under embargo," not realizing their window has already closed.

"Embargoes can increase risk: they create a false sense of non-urgency and limit which actors can work to fix a flaw."

— Jeff Kaufman

What Comes Next: Shorter Embargoes, Faster Defenders

The path forward isn't obvious, but some patterns are emerging:

Very Short Embargoes (24-72 Hours)

Rather than 90-day windows, the industry may shift to embargoes measured in hours or days. The goal shifts from "keep the vulnerability secret until a fix ships" to "coordinate initial response before mass exploitation begins."

AI-Augmented Defense

The same AI tools that make vulnerability discovery faster can also speed up defenders. Automated patch triage, impact analysis, and even AI-generated fixes could collapse the window from discovery to patch from weeks to hours. The key insight: AI is a multiplier for both attackers and defenders — the question is which side benefits more.

Bounty Programs Need Rethinking

If vulnerabilities are discovered at AI speed, bounty programs based on 90-day disclosure windows need to be restructured. Faster payouts, smaller windows, and automated validation are likely adaptations.

Infrastructure for Rapid Patch Distribution

If critical fixes need to ship in hours instead of weeks, infrastructure like Let's Encrypt automated certificate issuance and live patching systems become critical. The industry needs distribution channels that match the new pace of vulnerability discovery.

Key Takeaways for Security Teams

  1. Assume your vulnerability will be independently discovered within 48 hours. Plan your emergency response accordingly, not on a 90-day timeline.
  2. Don't rely on commit obscurity. Treat every security fix as if it will be publicly identified within hours of landing. AI-powered commit analysis makes the "quiet fix" strategy obsolete.
  3. Invest in automated patch generation and deployment. Speed of remediation is now the primary metric, ahead of perfection of the fix.
  4. Shorten disclosure windows proactively. Even if you could ask for 90 days, ask for 7. The ecosystem moves faster now.
  5. Monitor commits in your dependencies with AI. If attackers can use AI to find the exploit in a commit, defenders should use AI to find and apply the fix first.

The Copy Fail vulnerability is a wake-up call. Not because it's the worst vulnerability ever discovered — it's not — but because it's the first widely visible case where AI fundamentally broke the disclosure model that security has relied on for decades. It won't be the last.

Related: DirtyFrag Linux LPE Vulnerability Guide | Original Essay by Jeff Kaufman | Hacker News Discussion