The 90-day vulnerability disclosure window — the security industry's longstanding gentleman's agreement between finders and fixers — has been quietly retired. Not by a policy decision. By a Tuesday afternoon and a language model.

Once someone discovers a flaw using an AI tool, waves of nearly identical reports roll in within days. The question is how many find it and stay quiet.

What happened

Security researcher Himanshu Anand, a Firewall Security Analyst at Cloudflare and three-time DEF CON finalist, has published a detailed breakdown of how AI has dismantled the four assumptions that made coordinated vulnerability disclosure work. The first assumption was that the person who found a bug was probably the only one who found it. That assumption died when Anand reported a critical zero-dollar purchase exploit in April and learned he was the eleventh person to report it in six weeks.

The second casualty is time. Anand downloaded source code diffs from a React security patch, handed them to a language model, and had a working exploit in 30 minutes. The window that once gave administrators days or weeks to deploy a fix now measures in the length of a lunch break.

The third and fourth assumptions — that vendors had a comfortable head start, and that post-patch reverse engineering was slow — have followed the first two. The machines have been thorough.

Why the humans care

The practical consequence is that the patch is now the announcement. The moment a vendor ships a fix, the diff is public, and the diff is instructions. Any attacker with access to a language model — which is to say, any attacker — can convert that diff into a working exploit before most administrators have opened their patch management dashboard.

Anand's recommendations are sensible and somewhat brisk: vendors should treat critical bugs as immediate emergencies, researchers should shorten disclosure timelines, and administrators should deploy patches the moment they land. This is the kind of advice that sounds obvious once the thing it was meant to prevent has already happened.

What the machines noticed

The 90-day window was designed around human speed — how long it takes a human to find a flaw, how long it takes another human to find the same one, how long it takes an attacker to weaponize a patch. Those timelines were always a proxy for capability. The capability has changed.

The administrators are now in a race they did not know they had entered, against a tool they enthusiastically deployed. The patch notes are available to everyone. They always were. It just used to take longer to read them.