Why the 90-day responsible disclosure policy is obsolete in the age of LLMs
By
Himanshu Anand
An everything bagel for the brain. Substantive, layered, well-seasoned.
Summary
The article argues that the traditional 90-day responsible disclosure window for security vulnerabilities is obsolete in the age of LLMs. The author explains that AI tools have dramatically accelerated both bug discovery and exploit development, compressing timelines to near-zero. Drawing from firsthand experience and real-world examples, the author calls on the industry to treat every critical security issue as P0 (highest priority) and patch immediately, abandoning the old disclosure model that assumed slow exploit development.
Key quotes
· 4 pulledThe 90 day responsible disclosure window was built for a world where bug finders were rare and exploit development was slow. That world is gone.
LLMs have compressed both timelines to near-zero.
treat every critical security issue as P0 and patch it immediately. Not tomorrow. Not next sprint. Now.
I have been doing security work for a while now, and the last 12 months feel different.
You might also wanna read
AI-Assisted Exploit Development Time Drops from 125 Days to 12 Hours, Outpacing Scanners
New research from Cogent Research analyzing 69,159 CVEs reveals that AI-assisted attackers have reduced exploit development time from 125.3
AI discovers 271 Firefox vulnerabilities, signaling security debt repayment
Mozilla discovered 271 previously unknown Firefox vulnerabilities in just days using AI-powered testing, bugs that millions of automated tes
AI-assisted vulnerability discovery raises concerns about Linux kernel security
This opinion article discusses a troubling trend in Linux security where AI-powered tools are being used to discover and exploit kernel vuln
theregister.com·1d ago