Go Security Lead Argues LLMs Render Confidential Vulnerability Reporting Obsolete
In a 2026 opinion piece, the Go Security team lead asserts that attackers now possess equal analytical capabilities to defenders, shifting the cybersecurity bottleneck from discovery to validation.
Filippo Valsorda, lead of the Go Security team and a maintainer supported by Geomys, has published an opinion piece arguing that the traditional model of confidential vulnerability reporting is obsolete in 2026. Valsorda contends that large language models have made security insights and vulnerability detection accessible to anyone, including attackers, rendering the scarcity and confidentiality previously offered by researchers redundant. He suggests that the bottleneck has shifted from finding issues to assessing their validity, and that maintainers should focus on triage, rapid remediation, and integrating LLM analysis into continuous integration pipelines rather than prioritising external reports.
Historically, vulnerability reports were treated as special because security researchers provided scarce insight and confidentiality, allowing projects to ship fixes before attackers could develop exploits. The traditional exchange involved responsiveness and attribution from maintainers in return for the researcher’s service of confidential reporting. There is a complex history regarding disclosure practices, including legal threats against researchers in earlier eras, which led to the coordinated disclosure movement. Valsorda is the lead of the Go Security team and works with Geomys, an organisation of professional Go maintainers funded by Ava Labs, Teleport, Datadog, Tailscale, and Sentry.
Valsorda asserts that external security researchers can no longer meaningfully contribute to the triage process unless a pre-existing trust relationship exists, as the signal-to-noise ratio in security inboxes is comparable to parsing LLM output. He argues that attackers no longer need to wait for full disclosure posts or exploit embargoes, as they can utilise their own LLMs to identify vulnerabilities. The author notes that while he previously argued against curl’s suspension of vulnerability reporting channels, he currently sees no argument for servicing such reports as the most effective way to protect users.
The article references the recent month-long suspension of vulnerability reporting channels by the curl project. Valsorda suggests that open source projects should figure out how to run LLM analysis within their CI pipelines. This stance follows a recent month-long suspension of vulnerability reporting channels by the curl project, which Valsorda previously opposed but now views as a reflection of the changing landscape.
Valsorda is the lead of the Go Security team and works with Geomys, an organisation of professional Go maintainers funded by Ava Labs, Teleport, Datadog, Tailscale, and Sentry. The article references the recent month-long suspension of vulnerability reporting channels by the curl project. He suggests that open source projects should figure out how to run LLM analysis within their CI pipelines. This stance follows a recent month-long suspension of vulnerability reporting channels by the curl project, which Valsorda previously opposed but now views as a reflection of the changing landscape.
