TLDR The 90 day responsible disclosure window was built for a world where bug finders were rare and exploit development was slow. That world is gone. LLMs have compressed both timelines to near-zero. I have seen it first hand, and so has everyone else paying attention. This post lays out why the old model is broken, with real stories, and makes one ask to the industry: treat every critical security issue as P0 and patch it immediately.

Article on the new wave of AI-generated bug reports, and how patches are quickly turned into exploits with automation assistance.

There are really plenty of them, including in commercial software - Firefox has for April twenty times more security bugs reported than normal.

I can’t tell how dramatic this is really. Maybe this is being cooked a tad hotter than it is eaten. Some reports on AI capabilities are basically clever marketing - or even outright misleading.

What is clear is that distros will need to fix more bugs, and it will take some time until most uncovered bugs are fixed.

Users will need to update more frequently.

Frugal configurations might become even more attractive.

Who is in for a bad time are probably vendors and users of “connected” devices which were never designed to be updated. Every Smart TV, Amazon Echo, “Smart” home device, or “Smart” toothbrush will likely become open to black hats or enemies of peace and democracy which invade your home network. Including medical stuff…

Some devices should probablybe put in a Farady cage - say anything that would be able to start a fire.

  • Dingaling@lemmy.mlEnglish
    4·
    5 hours ago

    It’s a lot of work, but if you’re feeling tired or overhwelmed and thinking negative thoughts about these releases - then don’t. It’s a good thing.

    These are bugs that already exist and, in some cases, are almost certainly being actively exploited by criminals and government-backed organistions both.

    Whilst we might ask that some are a little more responsible with their disclosures, overall this is a massive boost to computer security once we get over this hill of information.

  • cmnybo@discuss.tchncs.deEnglish
    8·
    8 hours ago

    Any IoT type devices should be on their own network where internet access is by whitelist only. They should only have access to what they need to function and nothing more. Ideally, they should all be used with self hosted services so internet access is not needed.