There are approximately 488 Linux kernel CVEs per month* and not a lot of reason to think that CVE-2026-31431("copy

Reply to There are approximately 488 Linux kernel CVEs per month* and not a lot of reason to think that CVE-2026-31431("copy on Mon, 04 May 2026 02:34:51 GMT

marshray@infosec.exchange — Mon, 04 May 2026 02:34:51 GMT

@tychotithonus They took an LPE and made it into the most talked-about vulnerability of the year.

I think they understand the disclosure process quite well.

Reply to There are approximately 488 Linux kernel CVEs per month* and not a lot of reason to think that CVE-2026-31431("copy on Mon, 04 May 2026 02:06:26 GMT

marshray@infosec.exchange — Mon, 04 May 2026 02:06:26 GMT

@tychotithonus In your view, did the discoverers of the 487 other Linux CVEs that month have such an obligation?

Or is it just for those who go out of their way to inform the users of the affected systems?

Reply to There are approximately 488 Linux kernel CVEs per month* and not a lot of reason to think that CVE-2026-31431("copy on Mon, 04 May 2026 02:06:09 GMT

tychotithonus@infosec.exchange — Mon, 04 May 2026 02:06:09 GMT

@marshray And, I mean, I get the spectrum of response here, and I'm not trying to push this into "responsible disclosure" territory. But what they did is shaped like defender-friendly high-visibility disclosures, without the substance. It's like they didn't really understand what it's for ... and aped its form with out understanding its essence.

Reply to There are approximately 488 Linux kernel CVEs per month* and not a lot of reason to think that CVE-2026-31431("copy on Mon, 04 May 2026 01:57:23 GMT

tychotithonus@infosec.exchange — Mon, 04 May 2026 01:57:23 GMT

@marshray I mean, sure, there's no obligation - no more than there's an obligation for me to return my shopping cart. But I still do it, because I understand that what I do has effects on others.

Reply to There are approximately 488 Linux kernel CVEs per month* and not a lot of reason to think that CVE-2026-31431("copy on Mon, 04 May 2026 01:53:57 GMT

marshray@infosec.exchange — Mon, 04 May 2026 01:53:57 GMT

@tychotithonus I just can't see how finding a bug using AI-guided fuzzing techniques obligates a security researcher to include LLM-generated guidance for defenders in their disclosure.

I think defenders can consult their own chatbots if they wish.

Reply to There are approximately 488 Linux kernel CVEs per month* and not a lot of reason to think that CVE-2026-31431("copy on Sun, 03 May 2026 20:40:06 GMT

tychotithonus@infosec.exchange — Sun, 03 May 2026 20:40:06 GMT

@marshray Also, they themselves claim that it is no ordinary vulnerability, and should have stood out - making their failure (to initially leverage their position as even a basic clearinghouse for the rush of people who wouldn't find out about it until later) even more questionable.

Again, it's a weird hybrid of "this is really important" with no understanding of how defenders actually operate.

And for all of their claimed AI acumen, they didn't even bother to prompt for what defenders would need to know (until well after the announcement, where it's clear that they scrambled to fill in some gaps).

#CopyFail

Reply to There are approximately 488 Linux kernel CVEs per month* and not a lot of reason to think that CVE-2026-31431("copy on Sun, 03 May 2026 20:33:28 GMT

tychotithonus@infosec.exchange — Sun, 03 May 2026 20:33:28 GMT

@marshray I'm following this for the most part, but what I don't understand is why they thought they needed to stand up an entire domain name and website and coordination point, and then ... do almost nothing with it [initially, and for a couple days after].

Either they thought it was important enough to do that, and they therefore have a corresponding obligation to at least minimally coordinate and inform defenders (which is what many named vulnerabilities have done in the past), or ... it wasn't. They've chosen some weird middle ground, and even if it was only for marketing reasons, it sure doesn't make me want to buy their product, because I don't trust them to have the judgment or good taste to understand the implications of what they're choosing to do.