Got questions? Schedule a call with us!

There's No Such Thing as Someone Else's Vulnerability

by Levi Durfee

Two days ago, Russ Cox – one of the original authors of the Go programming language – apologized on Bluesky.

“The LLM bug hunter comes for us all. Here’s a truly terrible mistake I made seven years ago that somehow went unnoticed by multiple human reviews. Patch your systems! And my apologies.”

Seven years. Multiple human reviews. None of them caught it. An LLM did – not in years, but in hours.

The bug shipped this week as part of an 11-CVE security release for Go. The most serious one lets a malicious server bypass an integrity check that’s supposed to keep Go developers from getting tampered code. The kind of foundational, infrastructure-level flaw that’s supposed to be impossible to miss.

Now, you probably don’t run Go directly. But here’s the thing: the software your business actually uses is built on top of stuff like this – language runtimes, kernel modules, web frameworks, libraries that almost nobody thinks about until they break. And what just happened to Go is happening across the stack.

In May 2025, a security researcher pointed OpenAI’s o3 model at the Linux kernel’s SMB file-sharing service – the protocol that runs file sharing in offices everywhere – and it found a remote zero-day (CVE-2025-37899) hiding in 12,000 lines of code that humans had reviewed for years.

In February 2026, Anthropic disclosed that one of their models had identified and validated more than 500 high-severity zero-day vulnerabilities in production open-source software.

Why this matters for a small business

Attackers aren’t picking your business out of a phonebook. They never were. They scan the internet for software with a known flaw, and they hit every system running it. Your accounting tool, your email server, your VPN, your printer’s firmware; if it has a CVE published yesterday, it’s being scanned for today.

What’s changing is the rate at which those flaws are being surfaced. Bugs that sat undetected for seven years are now being found in an afternoon. The window between a vulnerability being disclosed and being exploited has been shrinking for a while. AI-assisted bug hunting is going to keep collapsing it.

The practical implication isn’t glamorous: know what software your business is running, and patch it fast. Outdated software was always a problem. It’s becoming a much shorter-fused one.

The “we’re too small to be a target” defense was already obsolete. The “we’ll patch eventually” defense is on its way out next.

If you’re not sure what software your business is running or whether it’s current, start for free – no credit card required. Or schedule a call and we’ll walk through it with you.