Linux kernel developer Willy Tarreau reports that security bug submissions have exploded from 2-3 per week two years ago to 5-10 per day now. The difference? These reports are actually accurate.
The previous wave was what Tarreau calls "AI slop", low-quality automated submissions that wasted maintainer time. Now agent-based tools are finding real vulnerabilities fast enough that the kernel team had to recruit additional maintainers just to keep up.
Tarreau suspects we're purging a historic backlog of bugs that were always there but undiscovered. The kernel security list now sees daily duplicate reports from different researchers finding the same issues independently.
Here's where it gets interesting. Tarreau predicts this flood of accurate reports will kill security embargoes. When bugs are being found this fast by multiple parties, coordinated disclosure becomes nearly impossible to manage. The old model of quietly fixing vulnerabilities under embargo before announcing them just won't work.
He also sees the end of what he calls "release-then-go-back-to-cave" development. Projects that ship a version and walk away won't survive when security coding agents are this effective at finding flaws.
The kernel team is adapting. Others will have to follow.