Filippo Valsorda: LLMs Have Ended the Era of the Special Vulnerability Report

Open source maintainers have long held vulnerability reports to a higher standard than ordinary issues or pull requests. Former Go Security team lead Filippo Valsorda explains the old bargain: researchers traded scarce, hard-won insight and the confidentiality needed to ship a fix ahead of attackers, and in return maintainers owed them prompt acknowledgment, status updates, and public credit. Ignoring a report signaled indifference to users’ safety and was rightly treated as shameful.

That logic, Valsorda argues, has collapsed in 2026 because every premise behind it is now false. LLMs can surface potential bugs about as well as most human researchers, and they are equally available to maintainers, attackers, and anyone else. Finding candidate issues is no longer the bottleneck — triaging which ones are real is, and an outside reporter with no established trust relationship can’t meaningfully help with that. A security@ inbox now carries roughly the same signal-to-noise ratio as raw model output. Confidentiality and embargoes lose their value too, since attackers can run the same analysis themselves and face the same triage problem defenders do.

The upshot is a shift in what the job actually demands: fast triage, rapid remediation, and above all prevention, including running LLM-based analysis directly in CI. Valsorda concedes the change feels uncomfortable, citing curl’s recent month-long suspension of its vulnerability reporting channels — a move he initially thought went too far but can no longer argue against, since servicing inbound reports may simply not be the best use of limited time to protect users.