The Death of the 90-Day Disclosure Policy in the Age of LLMs
For over a decade, the security industry has operated on a set of fundamental assumptions: bug finders are relatively rare, exploit development is a slow and skilled process, and a 90-day disclosure window provides vendors with a comfortable head start to patch before the public—and attackers—become aware.
These assumptions are no longer valid. The integration of Large Language Models (LLMs) into both offensive and defensive workflows has compressed the timeline from discovery to exploitation to near-zero. We are entering an era where the "responsible disclosure" window is not protecting users; it is providing a head start to anyone who has already found the bug and chooses not to report it.
The Collapse of the Discovery Monopoly
In the traditional model, a researcher might find a critical bug and be the sole possessor of that knowledge for weeks. Today, LLM-assisted hunting has created a phenomenon of "convergent discovery."
Consider a recent case where a critical vulnerability—allowing an attacker to bypass payment verification on a website—was reported. The researcher discovered they were the eleventh person to report the same bug within a six-week window. This pattern is becoming systemic. When LLM prompts and automated skills are shared or independently derived, multiple unrelated researchers converge on the same root cause almost simultaneously.
This creates a dangerous incentive structure. If ten people find a bug but only one receives the CVE credit or the bounty, the other nine are left with a potent weapon and no reward. In a world where discovery is fast and abundant, the 90-day clock becomes a period of exposure, not protection.
From Patch to Exploit in Minutes
Historically, the "n-day gap"—the time between a patch being released and a working exploit being developed from that patch—was a critical safety net. It gave system administrators a window of a few days or weeks to update their systems.
That gap has vanished. Recent experiments with React security patches demonstrate that an LLM can analyze a patch diff, identify the vulnerable code path, and generate a working Proof of Concept (PoC) in as little as 30 minutes. The skilled reverse engineer is no longer a requirement for simple to moderately complex bugs; the LLM handles the tedious analysis, and the human simply steers the process.
Case Study: The Week Linux "Caught Fire"
Two recent Linux kernel vulnerabilities illustrate the total failure of the old disclosure model:
Copy Fail (CVE-2026-31431)
Discovered using AI-automated scanning of the kernel crypto/ subsystem in just one hour, this logic flaw provided a 100% reliable root escalation across nearly every Linux distribution shipped since 2017. The speed of weaponization was staggering: within days of public disclosure, nation-state actors were leveraging the bug to compromise Ubuntu servers for DDoS campaigns.
Dirty Frag (CVE-2026-43284 & CVE-2026-43500)
This vulnerability chain bypassed the mitigations put in place for Copy Fail. Despite a coordinated effort and a five-day embargo, a third party broke the embargo by publishing exploit information within hours. By the time the full write-up and PoC were released, zero Linux distributions had a patch available. Microsoft's Defender team confirmed in-the-wild exploitation within 24 hours.
The New Security Imperative
If the 90-day window and monthly patch cycles are dead, the industry must pivot toward a real-time response model.
For Vendors and Researchers
Critical security issues must be treated as P0 emergencies. The clock starts the moment a report lands, not when triage ends. Researchers should push for the shortest possible disclosure windows, recognizing that they are likely not the only ones who have found the flaw.
For the Blue Team: AI-Driven Defense
Defenders cannot fight LLM-powered attackers with manual processes. The defensive pipeline must be automated at the same speed as the offensive one:
- Point-of-Push Review: Integrate AI-assisted security reviews into the CI pipeline. Vulnerabilities should be caught during the Pull Request (PR) phase, not after a CVE is issued.
- Automated Patch Analysis: When an upstream dependency is patched, AI should automatically analyze the diff, determine if the local codebase is affected, and flag it for immediate action.
- AI-Verified Patching: Before shipping a security fix, use LLMs to verify that the patch actually closes the hole and does not introduce new regressions.
Counterpoint: Is this just a "Low-Hanging Fruit" Phase?
Some argue that this surge in LLM-found bugs is a temporary spike. The theory is that once the "easy" bugs in legacy code are purged, the industry will return to a state where human insight is the primary driver of discovery.
However, this underestimates the iterative nature of AI. As LLMs get better at understanding complex state machines and race conditions, the definition of "low-hanging fruit" expands. The risk is not that all bugs will be found, but that the window for fixing them before exploitation has permanently shrunk.
Final Thoughts
The reality of modern security is that the gap between vulnerability and exploitation is trending toward zero. The only way to survive this shift is to make AI a first-class citizen in the defensive pipeline. The tools to automate scanning, analysis, and patching exist; the only remaining question is whether defenders will deploy them before the attackers do.