LLM Spam Is Breaking Security Disclosure Pipelines
The thread on 'Vulnerability reports are not special anymore' is a clear alarm bell. Developers and small company operators report getting 2-5 unsolicited 'vulnerability reports' per week, with half of them being LLMs flagging bad CSS or other non-issues dressed up in CVE language. One commenter said they now triage over a dozen reports a week, most of which are noise. The practical upshot: the signal-to-noise ratio on security disclosures has collapsed.
This is not just an annoyance. Real vulnerabilities are harder to spot when they arrive alongside a flood of AI-generated junk. Security through obscurity, as one commenter put it, 'was never a great strategy, and now it's not a strategy at all.' The usbliter8 iPhone SecureROM exploit thread also surfaced nearby, describing what appears to be a genuine, unfixable hardware vulnerability, and commenters noted it barely got any traction despite its severity. The serious bugs are getting drowned out.
The counterpoint some raised: this might accelerate the overhaul of software practices toward proactive security rather than reactive disclosure. But that is a years-long project, and in the meantime the current disclosure system is becoming less functional.
So what?
If you run any product with a public-facing bug bounty or disclosure email, expect to spend more engineering time on triage than on actual fixes. The cost of handling AI-generated noise is now a real operational expense. Consider rate-limiting, requiring proof-of-concept reproduction steps upfront, or using structured disclosure forms that are harder for automated tools to fill convincingly.