May 23, 2026
Bug report? More like panic report
Score by Collisions, Patch by Panic
When the same flaw keeps popping up, commenters say the old rules are officially toast
TLDR: The article argues software flaws should be treated as more urgent when several people find the same problem or when an attack already exists, because that means criminals may already be ahead. Commenters were split between calling it overdue realism and warning it could trigger rushed, messy fixes.
The big idea in Score by Collisions, Patch by Panic is brutally simple: if multiple people find the same software flaw, or someone already has a working attack ready, companies should stop treating it like a normal bug and start acting like the house is on fire. And the crowd? Oh, they had feelings. On Lobsters and elsewhere, the loudest reaction was basically: "finally, someone said the quiet part out loud." Readers loved the no-nonsense proposal that bug danger should rise when the same problem is found by more than one person, because that likely means bad actors found it too.
But the comments were not all applause. One camp argued this is just realism in 2026: the internet now moves too fast, and waiting weeks to fix a serious issue is fantasy. Another camp pushed back that this could create panic, rushed fixes, and even more chaos if every duplicate report turns into an emergency. The spiciest drama centered on independent researchers, with commenters split between "vendors need to move faster" and "don’t just dump a scary report and disappear." Linus Torvalds’ blunt line about AI-assisted bug hunting lit up the room, with readers joking that if a bot found your bug, congrats, the villains probably found it first.
The funniest running gag was the article’s grim humor: the "light at the end of the tunnel" maybe being dim because of the Strait of Hormuz situation. Commenters also zeroed in on the flex from security star Orange Tsai, who basically posted: no AI, no cheap tricks, just skill. Translation from the peanut gallery: the easy bugs are gone, babes — level up.
Key Points
- •The article proposes a vulnerability severity model that increases urgency based on duplicate discovery and exploit availability rather than treating each report in isolation.
- •It defines escalating response levels from a standard single-reporter bug to critical when a working exploit exists and P0 when a public proof of concept is available.
- •The article cites Linus on LKML and a Searchlight Cyber cPanel case as evidence that independently discovered bugs and attacker lead time are becoming more common.
- •It argues that solo researchers should assume others may have found the same flaw, push for shorter disclosure windows, and attach patches when possible.
- •It says companies must redesign security response for faster exploit timelines and growing exposure across both first-party code and dependencies.