A return to shallow bugs
What is the "Vuln Apocalypse"?
The cybersecurity community is realizing that AI can find security vulnerabilities in software at a scale we might not be prepared for. “A return to shallow bugs” is the framing I like most. It gives us permission to do practical things now instead of arguing over the exact size, shape, and sulfur content of the impending vulnerability demons.
How should we think about the future?
Vulnerability discovery will not slow down. It will only speed up.
Vulnerability Discovery Accelerates
We should expect more valid vulnerability disclosures from random researchers, customers and partners, security companies, or our own internal process.
Outbound Disclosures Increase
We will need to rapidly disclose vulnerabilities we've found because we will eventually have access to the same powerful AI tools that could be used against us. Expect your own AI assistants to audit your OSS dependencies and occasionally hand you someone else’s vulnerability.
Dependency Patching Accelerates
We will need to more frequently patch open source dependencies than we're used to. Upstream projects are likely to face broad AI-assisted vulnerability hunts, and even a modest increase in findings would force teams to move faster.
Do the fundamentals change?
Security fundamentals will remain unchanged in a post-vuln-apocalypse world. What changes is how early and how aggressively we prioritize them.
Earlier hiring
AI is already changing security economics without expensive vendor support. That makes an early security engineer more viable than before. They just need an LLM subscription.
Product Security / App Sec
AI driven vulnerability discovery is the biggest shift here. In many cases, it is no more complicated than pointing a capable CLI harness at a codebase with the right prompting and workflow. However, teams can't just look at these and stare blankly at their results and say "fix it" to a bot with their eyes glazed over.
Humans will need to verify findings. We're not yet able to trust an AI product that claims they've verified an exploit end to end. That is all still getting double checked. So there will be some vendors or in-house resourcing needed to take AI vuln finding end to end. This lends more to needing an earlier security hire anyway.
Disclosure
Vulnerability disclosure is more important. We're all going to be finding vulnerabilities if we can audit code at scale. This also means we're going to be receiving and triaging vulnerabilities, particularly if we publish open source code or binaries that can be torn apart.
The vulnerability disclosure pipeline coming in, going out, and everything in between will move faster as models improve.
Patch and Release
Patch and release must be at comparable speed to vibecoding. Every security engineer needs to think like a VP of Eng or CTO in regard to dev velocity. Get in the weeds on AI SWE workflows and understand the guardrails that maintain uptime, tests, code quality, secure frameworks, or writing security telemetry. If vulnerabilities are found faster, they have to be fixed faster while maintaining quality.
Putting the Vuln Apocalypse into perspective.
I want to frame this around some formative memories of mine. I keenly remember discovering vulnerabilities in the early oughts immediately after learning about a type of attack. For example, I discovered an AOL Instant Messenger vulnerability in 2004 very shortly after learning what a buffer overflow was. When I found the XSS cheat sheet by rsnake, I remember finding valid XSS in nearly every website I tested. Similar for CSRF, which I learned about in 2004. Effectively all websites were vulnerable to this for years.
In that same time period it was fairly common to expect a mass worm, followed by a mass botnet when RCE vulnerabilities were found. Widespread browser exploitation happened on a near monthly basis.
My early vulnerability research was low sophistication, but still impactful! In those days, bugs were shallow. That was just normal. The internet suffered a long grind of framework level mitigations to get where we are. It has been a long time since those days. Now, I think the last ten years or so have been relatively difficult for those looking to jump right into vulnerability research and easily find live bugs.
I think that the "Vulnpocalypse" is a return to shallow bugs, but I don't think that we're unprepared to handle the future. Adversaries are far more capable of taking advantage of vulnerabilities, but I also think the constructs we have to respond to internet wide events are much better than they used to be.