{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreidlp6tbhqlcqudp2lbq5uoem7ykgma5xpb5t6dbhuuw44wqo3dwum",
    "uri": "at://did:plc:b3tz6srl4ochk2wxn6dv6xpy/app.bsky.feed.post/3mnxgfode7xd2"
  },
  "path": "/Articles/1077413/",
  "publishedAt": "2026-06-10T16:43:14.000Z",
  "site": "https://lwn.net",
  "tags": [
    "security\ndeveloper-in-residence",
    "written\nabout",
    "PyCharm IDE",
    "Full\nLine code completion",
    "Coordinated Disclosure Policy"
  ],
  "textContent": "Seth Larson, the Python Software Foundation's security\ndeveloper-in-residence, has written\nabout the difficulty in classifying insecure code completion in the PyCharm IDE using its Full\nLine code completion plugin. Larson discovered that the plugin, which uses a local \"deep learning module\" to offer code completions, suggests code that would lead to severe vulnerabilities. He was unsure whether it warranted a CVE or not, however:\n\n> I reported this behavior to JetBrains for \"Full Line Code Completion\" v253.29346.142 and clearly their support staff weren't certain whether this defect was a security vulnerability or not either. When I asked to publish a blog post about this behavior after they confirmed this report wasn't a \"direct security vulnerability\" (which I agree with) but then was asked not to publicize my report and referred to PyCharm's Coordinated Disclosure Policy so... which is it? Security vulnerability or not?\n>\n> I ended up waiting the 90 days anyway and I didn't hear back with any substantive update from the development team. I double-checked again today using \"Full Line Code Completion\" v261.24374.152 and the behavior is identical, suggesting the same insecure code for both contexts.\n>\n> This isn't meant to be a specific dig at PyCharm or JetBrains, I have no-doubt that examples like this exist in every code generation model available.",
  "title": "Larson: Are insecure code completions a vulnerability?"
}