> people were already diffing kernel commits and figuring out which ones were security fixes

With skill, and usually not consistently and systematically. With AI, anyone can do this to any software.

> not sure shorter embargoes really help

Why 90 days versus 2 years? The author is arguing the factors that set that balance have shifted, given the frequency of simultaneous discovery. The embargo window isn’t an actual window, just an illusion, if the exploit is going to be found by several people outside the embargo anyway.

> cheaper exploit generation probably makes coordinated disclosure more important

I agree. But it also makes it less viable. If script kiddies can find and exploit zero days, the capacity to co-ordinate breaks down.

There was always a guild ethic that drove white-hate (EDIT: hat) culture. If the guild is broken, the ethic has nothing to stand on.

I haven't been keeping tabs for the entirety of Linux development, but has it ever happened before that someone dropped a working exploit from the mailing list before the patch even hit the kernel?

I haven't seen this kind of thing and I get the impression, despite all the hype, that this will be a frequent phenomenon now thanks to LLMs.

> Torvalds said that disclosing the bug itself was enough, without the pursuant circus that followed when a major problem has been discovered. [1]

So it's not surprising Dirtyfrag was disclosed by a fix in the Linux kernel. [2]

[1] https://www.zdnet.com/article/torvalds-criticises-the-securi...

[2] https://afflicted.sh/blog/posts/copy-fail-2.html

I'd say it's an old problem be exacerbated by AI.

I find i’m writing variations of the same comment every week so I’m just going to share a previous version I wrote if you’ll permit the laziness:

https://news.ycombinator.com/item?id=47921829

Reminder: the Ksplice patent expires October 1, 2028.