The advent of LLMs, reliance on unaudited and massive dependency trees and the spectre of capitalism is haunting information security. It's pretty easy to have missed some fundamental emergent behaviours.
The industry rewards visibility, not responsibility. As a security researcher, you are judged by GitHub stars and followers, conference talks, CVE counts, bug bounties. We are rewarding researchers to pop, drop, and bounce. Disclosing vulnerabilities and getting CVE IDs assigned gets likes, followers, and job offers. In an attention-driven economy, that translates directly into currency. Worryingly, the industry started to mirror academia: publish or perish.
That feedback loop pushes people to be faster, louder, and shallower, feeding an ecosystem already choking as a handful of volunteers maintain code that half the planet depends on. Has anyone even thought what ramifications does this have? If this is what the 'good' guys are finding, what about the bad guys?
We're seeing strange self-emergent behaviours. A LLM redefines what counts as a CVE, flooding the system with noise that looks like productivity. Automated, machine-speed 'responsible' reports overwhelm the humans who actually fix things. Research becomes content, marketing; fixes become footnotes. Ethics are getting crushed by discovery-to-publication cycles in which review and coordination vanish. Conclusively, the security industry has automated attacks against themselves without the benefit of automated remediation or mitigation.
For the next decades we will be fighting social and ethical issues arising from the emergence of LLMs and a predatory attention market, as well as supply chain attacks noting the piss poor security of most Linux desktop systems and protocols (X11?).
