I dont really get why you'd

- buy a domain

- vibe code a page/artifact/whatever (which, given the quality of LLM wordings, only makes an argument less strong)

- post it on HN with no further explanation in the title

Why not write a detailed report? Even a tweet makes much more sense in my head than this. Even a logo??

Sorry if this comes over as salty, I guess I'm just not getting the thought process.

> I dont really get why you'd buy a domain [...] Even a tweet makes much more sense in my head than this

I think we should be celebrating people hosting their own content on their own website instead of just posting on some social media site.

I think they’re using it to promote their product, Xint Code, which was used to discover it. That’s the way I read it anyway.

I hope they sell a lot of Xint Code licenses, so they don't have to sell their findings.

Considering they kinda botched the disclosure to Linux distros, I guess they wanted something most sensational to sell more licenses.

They did not, in fact, botch anything. They notified the responsible party and followed a practice that is pretty much the accepted norm (and for good reason).

How recursive should their notifications be? Just the tip three distros? The top dozen? Every embedded Linux router company? How about every hosting provider?

They did what they're supposed to without being paid for it. The only other good source of funding for security research besides marketing budgets for security companies will NOT result in a disclosure timeline you'd be happier with. ;-)

strategically botched ;)

How did they botch the disclosure to distros?

Definitely comes over as salty. Naming major flaws has been a tradition for decades. Remember Heartbleed? It had a site and a logo :) Shellshock, Meltdown, Spectre as well. A few more: https://github.com/hannob/vulns

This site though is pretty useful; first it serves as a central location to point people to with short links in chats/emails/whatever, then it has a quick visual explainer and a link to the detailed technical report for those who want more info. Pretty neat.

Last but not least, buying the domain must have taken 5 minutes, prompting the page must have taken 30 minutes and posting it on HN must have taken 1 minute. So it certainly wasn't a lot of work in the grand scheme of things and probably did not deter the team from doing other important things.

It used to be done for fame and visibility. Give a marketable name and a website, your exploit will be talked about and your name will shine in the industry.

Now it's done by an LLM to sell more LLMs services. Disclosure is botched to have the most sensational title so more click more upsell.

I'm being very cynical here but who says that their tool or LLM discovered this. How do we know they didn't hire some expert security researchers to find it or bought it off the black market as a promotion stunt.

With that being said, I wouldn't mind if they made more sales on whatever they're advertising IF they followed the disclosure process well. A bad disclose immediately tells me I can't trust them because their moment in the light was more important that the safety of millions of boxes.

Maybe it’s tradition https://news.ycombinator.com/item?id=7548991

Where would you have them write a detailed report if not a website?

You are wrong. We should ditch walled gardens like twitter/facebook/ig

The domain is canonical.

Then it's syndicate everywhere.

But all roads lead back to the domain.

Yes, strongly agree.

This is HUGE news, I would have skimmed over "Copy Fail".

The blog post might be a better place to link to also, it has more details on the exploit.

https://xint.io/blog/copy-fail-linux-distributions

There are also some good threads on which distros are vulnerable and mitigations on the github page.

https://github.com/theori-io/copy-fail-CVE-2026-31431/issues