• Category: Engineering post
  • Status: discussion
  • Sources: words.filippo.io, discussion
  • Summary: In a 2026-06-23 post, Go cryptography maintainer Filippo Valsorda argues that the special handling of vulnerability reports (fast response, attribution, confidential disclosure) was justified by a scarcity that LLMs have removed: "LLMs are as good as almost any security researcher, and anyone can run them." He says the bottleneck is now triage, "not finding potential issues but assessing which ones are real," and that maintainers should prioritize rapid remediation, prevention, and running LLM analysis in CI.
  • Why it matters: It reframes maintainer security workload around AI-generated reports, the same pressure behind curl pausing report handling and the FFmpeg AI-found zero-days.
  • Follow-up: Track whether projects formalize deprioritized handling of unverified LLM-generated vulnerability reports.

Send feedback on this story