90-DAY VULNERABILITY WINDOW OBSOLETE AS LLMS SPEED EXPLOITS

The security industry's standard 90-day vulnerability disclosure window is no longer viable, according to Anand's analysis of how AI systems accelerate exploit development. Historically, vendors received 90 days to patch vulnerabilities before public disclosure. This timeframe assumed a significant gap between when researchers discovered bugs and when attackers could weaponize them. LLMs collapse this assumption. The Acceleration Problem Anand highlights a critical finding: the window from patch release to working exploit has compressed to approximately 30 minutes. LLMs can analyze patched code, reverse-engineer the vulnerability, and generate functional exploits at speeds that dwarf manual analysis. This eliminates the protective buffer organizations traditionally relied on. Companies shipping patches now face immediate threat of public exploitation before even completing internal testing or preparing deployment strategies. Industry Response Required The implications force fundamental changes to vulnerability management practices: - Zero-day handling: Critical vulnerabilities may require same-day or staged patching rather than coordinated disclosure timelines - Patch testing: Organizations must accelerate testing cycles or accept greater deployment risk - Vulnerability triage: Security teams need better classification systems to distinguish truly critical issues requiring emergency response - Disclosure policy revision: The 90-day standard becomes a floor for non-critical issues only Anand emphasizes this is not theoretical. Real-world exploit development has already demonstrated LLM capability to produce working code from vulnerability descriptions and patches within minutes. What Changes Companies must treat critical vulnerabilities as active incidents requiring emergency response protocols. Security teams, developers, and operations need coordinated processes to patch within hours rather than days. The industry standard must shift from 90-day disclosure to risk-based response times tied to exploitability and impact. For vendors, the pressure increases to identify and patch vulnerabilities before public disclosure becomes possible. For organizations running affected systems, the margin for response continues to shrink.