Filippo Valsorda makes his living maintaining cryptography the rest of us build on without ever reading the source. So it's worth sitting with what he argued this week: the vulnerability report — the small genre of email open-source maintainers have treated as sacred for three decades — isn't special anymore.
His case is economic, not nostalgic. A security report used to deliver two genuinely scarce goods: expert insight that was hard to come by, and a confidential head start before attackers found the same flaw on their own. Large language models erased the first.
The insight is not scarce and precious anymore. The bottleneck now is not finding potential issues but assessing which ones are real.Filippo Valsorda
They erased the second too. The embargo — that quiet window between report and patch — assumed an attacker had to repeat the same hard work to rediscover the bug. That assumption is gone.
The attackers don't need to read the full disclosure post to learn about the vulnerability: they can ask their own LLM.Filippo Valsorda
Here is the part that matters. The thing maintainers are about to lose was never security. It was a proxy for trust. Writing a credible vulnerability report was expensive — it took real skill and real hours — and that expense was doing work nobody priced. A report landing in your inbox was itself evidence: that the sender knew what they were talking about, and almost always, that they meant well. The difficulty authenticated the sender for free.
The difficulty of writing a real report was doing the authentication, for free.
The easy way to describe what broke is a slop problem — the curl project has spent the better part of two years publicly fighting a flood of AI-generated reports that look real and aren't. Grant it; the volume is real. But noise drowning signal isn't quite what happened. The report stopped being a signal. A costly message carries information precisely because it's costly to send; drop the cost to zero and its arrival tells you nothing about the sender at all.
What's left is the unglamorous part: triage. The work that matters now is assessment — deciding which of a hundred plausible reports is real — and that is exactly the work an outside reporter can't help you with. Trust doesn't vanish. It just stops being inferable from the envelope, and has to be rebuilt on purpose: reputation, tiers, known senders. The same way every other channel that got cheap to flood eventually was.
For thirty years a vulnerability report authenticated itself. The format hasn't changed. What made it trustworthy was never inside it.