[bawolff]

Once the commit is public, the cat is out of the bag. Being coy about it only helps attackers and reduces everyone's security.

[6thbit]

Yes I think this is an appropriate view today.

My only caveat would be that in some security fixes, the pure code delta, is not always indicative of the full exploit method. But LLMs could interpolate from there depending on context.

[bawolff]

It is just as much the appropriate view now as it was in the 90s.

Attackers are not idiots. Once you have the commit, it is usually pretty easy to figure out, even just having the binary diff is usually enough.

[6thbit]

The binary diff?

[bawolff]

There are people who reverse engineer security vulns of closed source products by comparing the before and after of the compiled binary.