What happened
Security researcher Hyunwoo Kim shared a Linux kernel patch for the 'Copy Fail' vulnerability, intending a quiet fix under embargo. However, an external party noticed the change and publicly shared its security implications, forcing early disclosure. This incident highlights how AI-driven analysis can bypass traditional disclosure timelines, demonstrated by tests where models like Gemini 3.1 Pro, ChatGPT-Thinking 5.5, and Claude Opus 4.7 showed varying capabilities in identifying security fixes from code diffs, with some confidently detecting them.
Why it matters
AI's accelerated vulnerability discovery fundamentally alters risk calculations for security architects and procurement teams. Embargoes, once providing time for vendors to prepare fixes, now carry increased risk of premature exposure, forcing organisations to accelerate patching cycles. This mechanism, AI's rapid code analysis, reduces coordinated response windows and limits traditional disclosure policy effectiveness. This follows Anthropic AI's previous identification of software flaws, prompting release restrictions.
