Larson: Are insecure code completions a vulnerability?

Python Software Foundation security developer Seth Larson reported that JetBrains' PyCharm IDE Full Line Code Completion plugin suggests code containing severe vulnerabilities, but JetBrains declined to classify the defect as a direct security vulnerability. Larson waited 90 days before publishing his findings, noting the same insecure code completions persisted in the latest plugin version. The incident highlights unresolved ambiguity in how AI-generated code suggestions should be treated under coordinated disclosure policies.

Seth Larson, the Python Software Foundation's security developer-in-residence https://pyfound.blogspot.com/2023/06/announcing-our-new-security-developer.html , has written about https://sethmlarson.dev/are-insecure-code-completions-a-vulnerability the difficulty in classifying insecure code completion in the PyCharm IDE https://www.jetbrains.com/pycharm/ using its Full Line code completion https://www.jetbrains.com/help/pycharm/full-line-code-completion.html plugin. Larson discovered that the plugin, which uses a local "deep learning module" to offer code completions, suggests code that would lead to severe vulnerabilities. He was unsure whether it warranted a CVE or not, however: I reported this behavior to JetBrains for "Full Line Code Completion" v253.29346.142 and clearly their support staff weren't certain whether this defect was a security vulnerability or not either. When I asked to publish a blog post about this behavior after they confirmed this report wasn't a "direct security vulnerability" which I agree with but then was asked not to publicize my report and referred to PyCharm's Coordinated Disclosure Policy so... which is it? Security vulnerability or not?I ended up waiting the 90 days anyway and I didn't hear back with any substantive update from the development team. I double-checked again today using "Full Line Code Completion" v261.24374.152 and the behavior is identical, suggesting the same insecure code for both contexts. This isn't meant to be a specific dig at PyCharm or JetBrains, I have no-doubt that examples like this exist in every code generation model available.