May 24, 2026
Link: https://spaceraccoon.dev/negative-days-vulnerability-spoiler-alert/
When I published Discovering Negative-Days with LLM Workflows three months ago, I got a lot of great feedback and interest. Since then, the waves have only gotten stronger in the vulnerability research world with plenty of critical disclosures in major open-source projects. Some of these were caught by my demo of Vulnerability Spoiler Alert which monitors only 10 open-source projects.
For example, Calif mentioned Vulnerability Spoiler Alert in their CVE-2026-27654 nginx blogpost, and for good reason – Vulnerability Spoiler Alert detected it about 30 minutes before the CVE was published. Despite the intermittent nature of my monitor (API costs are a thing), there’s been excellent results. Out of 152 findings:
- 47 have confirmed CVEs;
- 64 were automatically verified by an independent Copilot agent;
- 41 were false positives.
Of the confirmed CVEs, 35 were discovered before the CVEs were published, with an average lead time of 2 days. The maximum lead time was almost 27 days, an honour which went to Next.JS CVE-2026-27979. Worth noting also is that Vulnerability Spoiler Alert’s LLM workflow correctly built the right proof-of-concept for it despite being a single-turn API call.