REVIEW 2 major objections 4 minor 41 references
Defender welfare depends on the AI capability gap, not the shared level: a timed pre-release is the lab's optimal release policy.
Reviewed by Pith at T0; open to challenge. T0 means a machine referee read the full paper against a public rubric. the ladder, T0–T4 →
T0 review · grok-4.5
2026-07-12 01:31 UTC pith:YAGHXH5I
load-bearing objection Clean formalization of release sequencing as a lab-led Stackelberg game; the gap-vs-level insight is solid, the headline windows are not. the 2 major comments →
The Oracle's Gambit: A Game-Theoretic Framework for Responsible AI Release
The pith
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
Defender welfare turns on the capability gap between defender and adversary, not on the shared absolute level of AI capability. Symmetric release of one model to both sides traps the defender in a Red Queen's race driven by pipeline asymmetry, whereas a pre-release that hands the new model to the defender alone creates a protective gap; the lab's Stackelberg-optimal policy is an interior pre-release window that balances that welfare gain against delay cost, and this choice is robust across calibrated model transitions.
What carries the argument
A bilevel three-player Stackelberg game: the lab commits to a release window W that induces time-varying capability schedules for a fully observable, zero-sum, finite-horizon stochastic game between defender and adversary, solved to its unique value by backward induction; the lab then maximises defender welfare net of delay cost over admissible windows.
Load-bearing premise
The five per-round success rates that drive the race can be reliably read off end-to-end benchmark pass rates by an expert-panel elicitation procedure, and those rates correctly capture how each new model moves both sides.
What would settle it
Re-solve the same game with independently measured per-round rates from real agent runs (or human baselines) on the same model ladder; if public simultaneous release then yields higher defender welfare than any pre-release window, or if pre-release ceases to be modal under the elicited uncertainty, the central claim fails.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper models frontier AI release for dual-use cyber capabilities as a bilevel three-player Stackelberg game: a lab commits to a release window W (public, pre-release of length W, or embargo) that induces time-varying capability schedules κ_Def(t) and κ_Adv(t) for a downstream finite-horizon zero-sum stochastic game between defender and adversary over n vulnerabilities. The inner game tracks asymmetric pipelines (defender: detect-build-test-ship plus exogenous coverage ρ; adversary: detect-weaponize or reverse-engineer a shipped patch) with Bernoulli success rates drawn from a capability vector κ; its unique value is obtained by backward induction. Defender welfare depends on the capability gap rather than the shared level, so simultaneous public release produces a Red Queen’s race while a temporary pre-release opens a protective gap. The lab maximizes welfare net of linear delay cost. Calibrated via LLM-Delphi elicitation of κ on successive frontier models and Monte Carlo over elicitation uncertainty, pre-release is the Stackelberg optimum in 80–95% of draws, with a headline interior window of 24 rounds for the Opus 4.6→Mythos transition.
Significance. If the qualitative gap-versus-level result holds, the paper supplies a clean, policy-relevant formalization that moves frontier-AI safety frameworks beyond binary deploy-or-withhold thresholds to the sequencing of access—an issue already visible in real programs such as Anthropic’s Project Glasswing. The bilevel construction is technically sound: the inner game is a standard finite-horizon zero-sum stochastic game with a unique value via Shapley-style backward induction, the outer problem is finite enumeration, and the Red Queen insight follows directly from pipeline-length asymmetry plus capability-independent coverage ρ. Strengths include the Morris elementary-effects screening of κ components, the explicit Monte Carlo robustness check over the LLM-Delphi posterior, and the transparent mapping of the model onto a concrete recent release. These elements make the framework a useful starting point for mechanism-design extensions that align private delay costs with social welfare.
major comments (2)
- [§3.3 Eq. (15), §4.1, Fig. 2, Fig. 6b, Table 3] Section 3.3 Eq. (15) and Section 4.1 (Class B, Fig. 2, Fig. 6b): Lab payoff is defined as U_Lab = u_Def − c_delay · ℓ(π_Lab). The interior optimum W⋆ (and therefore the claim that pre-release is Stackelberg-optimal) exists only inside a band of the hand-chosen operating point c_delay = c_Def = 0.05. Outside that band the solution collapses to PUBLIC or EMBARGO. Table 3’s 80–95% frequencies and the headline W⋆ = 24 for Mythos are therefore conditional on an uncalibrated cost, not on the elicited capabilities. The qualitative gap-versus-level result (Fig. 5) is robust; the quantitative optimality claim needs either external grounding of c_delay or explicit reframing as holding only inside the interior band.
- [§4.1, Table 2, Fig. 3] Section 4.1 Class C and Table 2: The five per-round Bernoulli rates that drive the entire inner game are obtained by mapping end-to-end benchmark pass rates through an LLM-Delphi panel of five GPT-5.1 personas (the same authors’ concurrent method). While Morris screening (Fig. 3) and the Monte Carlo (Table 3) show that the sign of the gap effect is insensitive to exact values, the magnitude of welfare gains Δu_Def and the precise location of W⋆ still depend on those absolute levels. Absent human-expert validation or an alternative calibration path, the quantitative welfare numbers remain soft.
minor comments (4)
- [§3.3] Section 3.3: The selection of the minimal-action-count strategy among value-optimal policies (to make u_Def unique) is described as the limit c_Def → 0+, yet the numerical experiments set c_Def = 0.05. A short clarifying sentence would remove the minor inconsistency.
- [Fig. 5] Figure 5a caption and surrounding text: “symmetric scaling (Δκ ≡ 0)” is clear, but the vertical axis label “welfare U_def” should be u_Def for consistency with Eq. (14).
- [§5] Section 5: The discussion correctly flags that the reported windows are conditional on the operating point; elevating that caveat into the abstract or the contributions list would better match the strength of the quantitative claims.
- [References] References: Several 2026-dated system cards and blog posts (AISI Mythos evaluation, Project Glasswing, Zero Day Clock) are cited; if any remain non-archival, a note on accessibility would help reproducibility.
Circularity Check
Mild self-citation for the LLM-Delphi capability elicitation; core Stackelberg derivation and gap-vs-level claim are independent of that method and not tautological.
specific steps
-
self citation load bearing
[Section 4.1 (Eliciting Class C), Table 2, citation [24]]
"Our elicitation follows the Scalable Delphi method of Lorenz and Fritz [24], which has three parts: the target variables to estimate (here the five components of κ), a board of LLM experts, and a shared evidence base. ... Table 2 reports the consensus vectors (panel mean ± inter-expert standard deviation)."
The five per-round rates that parameterize the inner-game transitions (and therefore the Monte-Carlo frequencies of pre-release optimality) are produced by a method paper whose authors overlap with the present paper. While the structural gap-vs-level claim survives variation of those rates, the reported quantitative posterior shares (80–95%) and headline windows rest on this self-cited elicitation pipeline rather than on independently measured transition probabilities.
full rationale
The bilevel game (Eqs. 1–16), inner value by finite-horizon Shapley backward induction (Eqs. 10–11), and welfare/payoff definitions (Eqs. 14–15) are self-contained mathematical constructions. The qualitative result that defender welfare depends on the capability gap Δκ rather than the shared level follows directly from the asymmetric pipeline lengths (adversary: two Bernoulli stages to READY; defender: four stages to SHIPPED plus exogenous coverage ρ) and is demonstrated by comparing symmetric scaling (Figure 5a) against an opened gap (Figure 5b); it does not reduce to any fitted parameter or self-definition. Cost levers are swept (Figure 2, Figure 6b) and the operating point c_delay = c_Def = 0.05 is explicitly chosen inside the non-trivial band rather than reverse-engineered from a target W*. The sole mild circularity risk is that the Class C rates (Table 2) that set the quantitative size of gains and the 80–95% Monte-Carlo frequencies are obtained via the authors’ own prior LLM-Delphi procedure; this is ordinary methodological self-citation, not a load-bearing uniqueness claim or a prediction forced by construction. No self-definitional loop, no fitted-input-called-prediction, and no ansatz smuggled via citation appear in the derivation chain.
Axiom & Free-Parameter Ledger
free parameters (6)
- c_delay (per-round hold cost) =
0.05 (operating point)
- c_Def (defender per-action cost) =
0.05
- ρ (post-ship fleet coverage rate) =
0.11
- T (horizon in rounds) =
48
- n (number of co-disclosed vulnerabilities) =
1-3 (headline n=2)
- Five κ components (disc, egen, rev, pgen, ptest) per model =
panel means in Table 2
axioms (6)
- domain assumption Inner game is fully observable, zero-sum, finite-horizon, simultaneous-move stochastic game admitting unique value by backward induction.
- domain assumption Defender pipeline is longer (detect-build-test-ship + adoption) than adversary pipeline (detect-weaponize or reverse-engineer).
- domain assumption Coverage after ship grows at exogenous rate ρ independent of AI capability.
- ad hoc to paper LLM-Delphi panel of five GPT-5.1 security personas can convert benchmark pass rates into valid per-round Bernoulli rates.
- ad hoc to paper Lab payoff is defender welfare minus linear delay cost; lab internalizes defender welfare.
- standard math Standard finite-horizon zero-sum stochastic game value (Shapley recursion).
invented entities (2)
-
Release window W as the lab's sole strategic lever inducing time-varying capability schedules κ_Def(t), κ_Adv(t)
no independent evidence
-
Capability vector κ = (κ_disc, κ_egen, κ_rev, κ_pgen, κ_ptest)
no independent evidence
read the original abstract
Responsible vulnerability disclosure can secure the defender's head start by controlling when a vulnerability becomes public. However, this status quo is now challenged by increases in capability of AI models, which benefits both defenders and adversaries. When both sides draw their capability from the same AI model, the defender's head start depends on the lab's decision to release the model, and the question becomes not whether to release but how. Existing safety frameworks govern only the deploy-or-withhold threshold and leave the timing of release unmodeled. We cast this decision as a bilevel Stackelberg game in which a lab commits to a window that sets each side's capability over time in a downstream contest between defender and adversary. Defender welfare turns on the capability gap, not the shared level. Handing one model to both sides can trap the defender in a Red Queen's race, whereas a pre-release to the defender alone creates a protective gap, and the lab's optimal window balances this welfare gain against the opportunity cost of delaying release. For dual-use models, the lever is the sequencing of access, not the deployment threshold.
Figures
Reference graph
Works this paper leans on
-
[1]
AI Security Institute: Our evaluation of claude mythos pre- view’s cyber capabilities (2026),https://www.aisi.gov.uk/blog/ our-evaluation-of-claude-mythos-previews-cyber-capabilities
2026
-
[2]
Anthropic: Project Glasswing: Securing critical software for the AI era (Apr 2026)
2026
-
[3]
Anthropic: Responsible scaling policy, version 3.3 (2026)
2026
-
[4]
Management Science54(4), 642–656 (2008)
Arora, A., Telang, R., Xu, H.: Optimal policy for software vulnerability disclosure. Management Science54(4), 642–656 (2008)
2008
-
[5]
Proceedings of the National Academy of Sciences111(4), 1298–1303 (2014)
Axelrod, R., Iliev, R.: Timing of cyber conflict. Proceedings of the National Academy of Sciences111(4), 1298–1303 (2014)
2014
-
[6]
Game Theory and Machine Learning for Cyber Security pp
Bao, T., Shoshitaishvili, Y.: Cyber autonomy in software security: Techniques and tactics. Game Theory and Machine Learning for Cyber Security pp. 204–229 (2021)
2021
-
[7]
arXiv preprint arXiv:2512.08864 (2025)
Barrett, S., Murray, M., Quarks, O., Smith, M., Kryś, J., Campos, S., Boria, A.T., Touzet, C., Hayrapet, S., Heiding, F., et al.: Toward quantitative modeling of cybersecurity risks due to ai misuse. arXiv preprint arXiv:2512.08864 (2025)
arXiv 2025
-
[8]
Brumley, D., Poosankam, P., Song, D., Zheng, J.: Automatic patch-based exploit generation is possible: Techniques and implications (2008)
2008
-
[9]
In: International Conference on Decision and Game Theory for Security
Canann, T.J.: Toward a theory of vulnerability disclosure policy: a hacker’s game. In: International Conference on Decision and Game Theory for Security. pp. 118–
-
[10]
Charrier, C., Weiner, R.: How low can you go? an analysis of 2023 time-to-exploit trends. Tech. rep., Mandiant (2024)
2023
-
[11]
The Journal of Industrial Economics58(4), 868–894 (2010)
Choi, J.P., Fershtman, C., Gandal, N.: Network security: Vulnerabilities and dis- closure policy. The Journal of Industrial Economics58(4), 868–894 (2010)
2010
-
[12]
arXiv preprint arXiv:2504.06939 (2025)
Dai, D., Liu, M., Li, A., Cao, J., Wang, Y., Wang, C., Peng, X., Zheng, Z.: Feed- backeval: A benchmark for evaluating large language models in feedback-driven code repair tasks. arXiv preprint arXiv:2504.06939 (2025)
arXiv 2025
-
[13]
Management science9(3), 458–467 (1963)
Dalkey, N., Helmer, O.: An experimental application of the delphi method to the use of experts. Management science9(3), 458–467 (1963)
1963
-
[14]
DeepMind, G.: Frontier safety framework, version 3.1 (2026)
2026
-
[15]
Edgescan: 2025 vulnerability statistics report. Tech. rep., Edgescan (2025)
2025
-
[16]
Epp, S.: Zero day clock (2026),https://zerodayclock.com/
2026
-
[17]
arXiv preprint arXiv:2404.08144 (2024)
Fang, R., Bindu, R., Gupta, A., Kang, D.: Llm agents can autonomously exploit one-day vulnerabilities. arXiv preprint arXiv:2404.08144 (2024)
Pith/arXiv arXiv 2024
-
[18]
In: Detection of intrusions and malware & vulnerability assessment, GI SIG SIDAR workshop, DIMVA 2004
Flake, H.: Structural comparison of executable objects. In: Detection of intrusions and malware & vulnerability assessment, GI SIG SIDAR workshop, DIMVA 2004. pp. 161–173. Gesellschaft für Informatik eV (2004)
2004
-
[19]
Advances in Neural Information Processing Systems 37, 50426–50468 (2024)
Halawi,D.,Zhang,F.,Yueh-Han,C.,Steinhardt,J.:Approachinghuman-levelfore- casting with language models. Advances in Neural Information Processing Systems 37, 50426–50468 (2024)
2024
-
[20]
Holley, B.: The zero-days are numbered (2026),https://blog.mozilla.org/en/ privacy-security/ai-security-zero-day-vulnerabilities/
2026
-
[21]
rep., Lockheed Martin Corporation (2011), white paper
Hutchins, E.M., Cloppert, M.J., Amin, R.M.: Intelligence-driven computer network defenseinformedbyanalysisofadversarycampaignsandintrusionkillchains.Tech. rep., Lockheed Martin Corporation (2011), white paper
2011
-
[22]
Jimenez, C.E., Yang, J., Wettig, A., Yao, S., Pei, K., Press, O., Narasimhan, K.R.: SWE-bench:Canlanguagemodelsresolvereal-worldgithubissues?In:TheTwelfth International Conference on Learning Representations (2024) 20 C. R. Landolt et al
2024
-
[23]
John Wiley & Sons (2021)
Kamhoua, C.A., Kiekintveld, C.D., Fang, F., Zhu, Q.: Game theory and machine learning for cyber security. John Wiley & Sons (2021)
2021
-
[24]
arXiv preprint arXiv:2602.08889 (2026)
Lorenz, T., Fritz, M.: Scalable delphi: Large language models for structured risk estimation. arXiv preprint arXiv:2602.08889 (2026)
arXiv 2026
-
[25]
In: Proceed- ings of the 2010 New Security Paradigms Workshop
Moore, T., Friedman, A., Procaccia, A.D.: Would a’cyber warrior’protect us: ex- ploring trade-offs between attack and defense of information systems. In: Proceed- ings of the 2010 New Security Paradigms Workshop. pp. 85–94 (2010)
2010
-
[26]
In: Globerson, A., Mackey, L., Belgrave, D., Fan, A., Paquet, U., Tomczak, J., Zhang, C
Mündler, N., Müller, M.N., He, J., Vechev, M.: Swt-bench: Testing and validating real-world bug-fixes with code agents. In: Globerson, A., Mackey, L., Belgrave, D., Fan, A., Paquet, U., Tomczak, J., Zhang, C. (eds.) Advances in Neural Information Processing Systems. vol. 37, pp. 81857–81887. Curran Associates, Inc. (2024)
2024
-
[27]
arXiv preprint arXiv:2503.04299 (2025)
Murray, M., Papadatos, H., Quarks, O., Gimenez, P.F., Campos, S.: Mapping ai benchmark data to quantitative risk estimates through expert elicitation. arXiv preprint arXiv:2503.04299 (2025)
Pith/arXiv arXiv 2025
-
[28]
OpenAI: Preparedness framework, version 2 (2025)
2025
-
[29]
arXiv preprint arXiv:2403.13793 (2024)
Phuong, M., Aitchison, M., Catt, E., Cogan, S., Kaskasoli, A., Krakovna, V., Lind- ner, D., Rahtz, M., Assael, Y., Hodkinson, S., et al.: Evaluating frontier models for dangerous capabilities. arXiv preprint arXiv:2403.13793 (2024)
Pith/arXiv arXiv 2024
-
[30]
Rescorla, E.: Is finding security holes a good idea? IEEE Security & Privacy (2005)
2005
-
[31]
Science Advances10(45), eadp1528 (2024)
Schoenegger, P., Tuminauskaite, I., Park, P.S., Bastos, R.V.S., Tetlock, P.E.: Wis- dom of the silicon crowd: Llm ensemble prediction capabilities rival human crowd accuracy. Science Advances10(45), eadp1528 (2024)
2024
-
[32]
Proceedings of the national academy of sciences 39(10), 1095–1100 (1953)
Shapley, L.S.: Stochastic games. Proceedings of the national academy of sciences 39(10), 1095–1100 (1953)
1953
-
[33]
arXiv preprint arXiv:2201.05159 (2022)
Shevlane, T.: Structured access: an emerging paradigm for safe ai deployment. arXiv preprint arXiv:2201.05159 (2022)
Pith/arXiv arXiv 2022
-
[34]
In: Proceedings of the 2023 ACM conference on fairness, accountability, and trans- parency
Solaiman, I.: The gradient of generative ai release: Methods and considerations. In: Proceedings of the 2023 ACM conference on fairness, accountability, and trans- parency. pp. 111–122 (2023)
2023
-
[35]
arXiv preprint arXiv:1908.09203 (2019)
Solaiman, I., Brundage, M., Clark, J., Askell, A., Herbert-Voss, A., Wu, J., Rad- ford, A., Krueger, G., Kim, J.W., Kreps, S., et al.: Release strategies and the social impacts of language models. arXiv preprint arXiv:1908.09203 (2019)
Pith/arXiv arXiv 1908
-
[36]
NIST Special Publication 800-40 Rev
Souppaya, M., Scarfone, K.: Guide to enterprise patch management planning: Pre- ventive maintenance for technology. NIST Special Publication 800-40 Rev. 4, Na- tional Institute of Standards and Technology (Apr 2022)
2022
-
[37]
Cambridge university press (2011)
Tambe, M.: Security and game theory: algorithms, deployed systems, lessons learned. Cambridge university press (2011)
2011
-
[38]
Wang, Z., Schiller, N., Li, H., Narayana, S.S., Nasr, M., Carlini, N., Qi, X., Wallace, E., Bursztein, E., Invernizzi, L., et al.: Exploitgym: Can ai agents turn security vulnerabilities into real attacks? arXiv preprint arXiv:2605.11086 (2026)
Pith/arXiv arXiv 2026
-
[39]
arXiv preprint arXiv:2506.02548 (2025)
Wang, Z., Shi, T., He, J., Cai, M., Zhang, J., Song, D.: Cybergym: Evalu- ating ai agents’ real-world cybersecurity capabilities at scale. arXiv preprint arXiv:2506.02548 (2025)
arXiv 2025
-
[40]
Advances in Neural Information Processing Systems38(2026)
Zhang, A., Ji, J., Menders, C., Dulepet, R., Qin, T., Wang, R., Wu, J., Liao, K., Li, J., Hu, J., et al.: Bountybench: Dollar impact of ai agent attackers and defenders on real-world cybersecurity systems. Advances in Neural Information Processing Systems38(2026)
2026
-
[41]
In: International Conference on Learning Representations
Zhang, A.K., Perry, N., Dulepet, R., Ji, J., Menders, C., Lin, J., Jones, E., Hussein, G., Liu, S., Jasper, D., et al.: Cybench: A framework for evaluating cybersecurity capabilities and risks of language models. In: International Conference on Learning Representations. vol. 2025, pp. 25094–25243 (2025)
2025
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.