Skills
Schneier on Security: Traditional Vulnerability Disclosure Is Broken for AI Systems
Bruce Schneier published a June 1 blog post arguing that 90-day coordinated disclosure timelines are structurally broken for AI, because AI vulnerabilities (prompt injection, jailbreaks, model inversion) often have no clean patch and can be rediscovered independently in hours via automated tooling. He proposes a tiered model: immediate vendor notification, 30-day public disclosure for prompt-level flaws, and indefinite embargo for model-weight attacks where no patch is possible. The post follows a spike in undisclosed AI agent CVEs being weaponized before vendor acknowledgment.
↳ Follow the thread