score by collisions, patch by panic

Summary

TLDR;⌗ Score severity by collision count. Researchers ship patches not just reports. Companies redesign for a world where the exploit lands before the patch. No magic. No vendor pitch. Just the playbook. The last post went further than I expected. NYT’s Hard Fork picked it up. The Lobsters thread had sharp questions. A few people made a fair point. “The model is broken” is a complaint not a proposal. So here is the proposal. a new severity model⌗ The current model treats every report as if it lives in a vacuum, One reporter, One bug, One timeline. That was the assumption the old playbook ran on It no longer holds. Here is what severity should look like in 2026. One reporter and No exploit. Standard severity. Standard window. Business as usual. Two or more reporters of the same bug. Severity goes up a notch. If unrelated researchers are finding the same flaw a less friendly party probably has it too. Shrink the window. Working exploit attached. Critical. The patch window collapses from weeks to days. Working exploit and a public PoC. P0. Stop the line. Patch now. The collision count is the signal. Use it. Linus said the quiet part out loud last week on LKML: So just to make it really clear: if you found a bug using AI tools, the chances are somebody else found it too. If you needed proof, Searchlight Cyber’s cPanel writeup just made the case better than I can, Strong team. Years of experience on the target. A real head start. Custom tooling that decompiled cPanel’s Perl binaries back to source. They still got beaten by a threat actor by two months. Two months. If a team operating at that level can be late, the math has changed for everyone. the independent researcher problem⌗ Here is the part my proposal does not solve cleanly. If you are a solo researcher you have no telemetry, No customer logs, No threat feed. You find a bug You filed a report and You sit on it. You have no clue if the bug is already being burned in the wild while you wait. I do not have a clean fi...