90-DAY VULNERABILITY WINDOW OBSOLETE AS LLMS SPEED EXPLOITS
AI DESK■ 2 MIN READ
MON, MAY 11, 2026■ AI-SUMMARIZED FROM 1 SOURCE ▸ TIMELINE
Large language models are collapsing the timeline between bug discovery and working exploits, making traditional 90-day disclosure policies ineffective. Security researcher Himanshu Anand argues critical vulnerabilities now require immediate patching.
The security industry's standard 90-day vulnerability disclosure window is no longer viable, according to Anand's analysis of how AI systems accelerate exploit development.
Historically, vendors received 90 days to patch vulnerabilities before public disclosure. This timeframe assumed a significant gap between when researchers discovered bugs and when attackers could weaponize them. LLMs collapse this assumption.
The Acceleration Problem
Anand highlights a critical finding: the window from patch release to working exploit has compressed to approximately 30 minutes. LLMs can analyze patched code, reverse-engineer the vulnerability, and generate functional exploits at speeds that dwarf manual analysis.
This eliminates the protective buffer organizations traditionally relied on. Companies shipping patches now face immediate threat of public exploitation before even completing internal testing or preparing deployment strategies.
Industry Response Required
The implications force fundamental changes to vulnerability management practices:
- Zero-day handling: Critical vulnerabilities may require same-day or staged patching rather than coordinated disclosure timelines
- Patch testing: Organizations must accelerate testing cycles or accept greater deployment risk
- Vulnerability triage: Security teams need better classification systems to distinguish truly critical issues requiring emergency response
- Disclosure policy revision: The 90-day standard becomes a floor for non-critical issues only
Anand emphasizes this is not theoretical. Real-world exploit development has already demonstrated LLM capability to produce working code from vulnerability descriptions and patches within minutes.
What Changes
Companies must treat critical vulnerabilities as active incidents requiring emergency response protocols. Security teams, developers, and operations need coordinated processes to patch within hours rather than days. The industry standard must shift from 90-day disclosure to risk-based response times tied to exploitability and impact.
For vendors, the pressure increases to identify and patch vulnerabilities before public disclosure becomes possible. For organizations running affected systems, the margin for response continues to shrink.
■ SOURCES
► Techmeme■ SUMMARY WRITTEN BY AI FROM THE LINKS ABOVE
■ MORE FROM THE SECURITY DESK
A malicious Obsidian plugin was used in targeted attacks to deliver Phantom Pulse, a remote access trojan capable of full system compromise. The attack demonstrates how legitimate tools remain vulnerable to abuse by threat actors.
5H AGO— Industry Desk
A critical security vulnerability identified as CVE-2024-YIKES has been detailed in a new incident report. The disclosure outlines technical specifics and potential impact on affected systems.
14H AGO— Industry Desk
Police forces across the UK are failing to adequately protect child victims of online sexual abuse due to insufficient funding and resources. Her Majesty's Chief Inspector of Constabulary has warned that referrals are increasing by two-thirds annually while law enforcement cannot keep pace.
14H AGO— Industry Desk
CPanel released security patches for three newly discovered vulnerabilities following a ransomware attack that compromised approximately 44,000 servers. The incident highlighted critical gaps in the hosting platform's security infrastructure.
16H AGO— Industry Desk