LLM-accelerated vuln disclosure crisis

Linux kernel adopts no-embargo policy as LLMs flood maintainers with CVEs Lund Linux Conference
TL;DW
  • LLM-discovered vulnerabilities in Linux kernel cannot be embargoed since anyone can trivially rediscover them, forcing immediate public disclosure.
  • Fedora kernel maintainer expects at least one important kernel update weekly due to FKB (fragment buffer) API misuse causing exploitable network stack vulnerabilities.
  • Linux upstream community merged rules: no embargo period for LLM-found bugs, making vulnerability disclosure immediate and uncontrolled.
  • FKB copy-on-write bugs in sendfile implementation enable dirty page attacks; widespread misuse across kernel codebase creates cascade of CVEs.
  • Kernel maintainers focusing only on actively exploitable CVEs with proof-of-concept rather than preventative security work due to flood of discoveries.
  • Old unmaintained protocols (ISDN removed, others deprecated) turned out to have numerous vulnerabilities; removal reduces attack surface as liability cuts across subsystems.
  • Proprietary code faces greater risk than open source since LLM analysis works on compiled machine code without source access.
  • SELinux and LSM policies can mitigate exploits by blocking vulnerable socket families or functions without kernel reboot via small BPF programs.
  • Long-term benefit: continuous LLM scanning may eventually reach equilibrium where code has minimal CVEs, forcing better security practices industry-wide.
  • State actors likely already possessed vulnerability discovery capabilities; LLMs make the vulnerability flood visible and public rather than creating new risk.

LLM-based tools are rediscovering kernel vulnerabilities faster than patches ship, triggering weekly Fedora releases and an explosion of CVEs concentrated in SKB API misuse and copy-on-write handling. The talk covers mitigation approaches including dead code removal, stricter SELinux policies, LSM hooks, and BPF-based lockdowns.

JS toolchain unification

Evan You ships Vite Plus to unify Rollup, Oxlint, Oxformat, and Vitest into one Rust/Go toolchain CityJS
TL;DW
  • Vite Plus unifies fragmented JS tooling by integrating Rollup, OXC, Vitest, and TSGo into single coherent system with consistent behavior across dev and production.
  • Rolldown bundler achieves ESBuild feature parity with Rollup API compatibility while being slightly faster than ESBuild on some systems, improving 33% speed and 34.5% bundle size reduction in one year.
  • OXlint reached 100% ESLint plugin compliance using raw AST transfer—moving AST memory through shared array buffer to pass Rust core data to JavaScript plugins without expensive copying.
  • OXFormat achieved 100% Prettier conformance for JS/TS while running 30-45x faster, supporting prettier plugins for formatting Vue and other file types.
  • VP package manager manager automatically selects and caches correct package manager version per project without requiring explicit configuration or understanding corepack differences.
  • VP install and VP run enable monorepo task orchestration with intelligent file-system-level caching that requires zero configuration for most use cases.
  • Vite 8 removes ESBuild dependency, uses only Rollup for consistent behavior, includes built-in TypeScript config paths support eliminating need for separate plugin.
  • Type-aware linting via TSGo integration avoids Biome's custom type synthesizer approach, instead leveraging official TypeScript as single source of truth for full spec coverage.
  • Multiple JavaScript parsers in legacy toolchain (Webpack uses Acorn, Babel has own AST, Terser forks UglifyJS parser) caused code to be parsed 3-4 times inefficiently.
  • AI coding agents benefit from faster tools since compilation time becomes proportionally larger when AI generates code in minutes; 5-minute build reduced to 10 seconds compounds agent efficiency.

Addresses the core fragmentation problem: a single JS file gets parsed by 3–4 tools with incompatible ASTs. Vite Plus adds package management, task running with caching, and monorepo orchestration, with TSGo enabling type-aware linting. You argues unified fast tooling is critical as AI coding agents make build latency a bottleneck.

Agentic org maturity gap

88% of firms use AI coding tools but only 5.5% see business impact, PlatformCon study finds PlatformCon
TL;DW
  • 88% of firms experiment with AI coding tools, but only 5.5% report significant business impact—the gap is organizational redesign, not tool access.
  • Agentic Development Platform (ADP) makes platform paths machine-readable and autonomously executable by agents; IDP paths become API-addressable and event-driven.
  • Five-level maturity model (L0–L4): L0 is all-human coding; L2 has agents generating PRs with human review; L3 has continuous background execution under rules; L4 enables self-initiating work from system signals.
  • Three organizational bottlenecks no AI model solves: how work dispatches to agents, how validation loops scale as a continuous process (not a gate), and how risk governance handles non-human identity accountability.
  • Validation must shift from gate to loop—agents iterate through deterministic checks (CI, security, policy) autonomously until passing or hitting a known boundary.
  • Agent-ready dispatch requires bounded scope, clear identity, workspace provisioning, and output routing; without these, agent work has nowhere to land.
  • L1-to-L2 transition is tooling-level; L2-to-L3 requires hardest leadership shift—moving humans from execution to orchestration and policy design.
  • Leadership must decide: which changes auto-merge vs. require human review (defines maturity level); validation checks required and what passing means; clear agent ownership and accountability.
  • Governance designed upfront is competitive advantage—quality of guardrails determines safe autonomy; governance enables velocity, not slows it.
  • Playbook: Month 1 assess maturity and map paths; Month 2 design validation loop, agent identity, and promotion model; Month 3 pilot with bounded team, measure cycle time and defect rate before scaling.

The gap traces to org structure, not model quality: dispatch, validation, and governance bottlenecks stall value capture. Presents a five-level agentic development platform maturity model and a concrete playbook for moving from AI-assisted coding to agent-generated PRs, with governance framed as the lever that enables—not limits—autonomy.