Standard 90-Day Vulnerability Disclosure Policy Is Likely Dead Thanks to AI, Expert Warns that AI Can Weaponize Patches in 30 Minutes — LLM-Assisted Bug-Hunting Ushers in a New Cyberworld Order

The rise of large language models (LLMs) has turned vulnerability research into a high‑speed race. Where manual code reviews once took weeks, AI‑assisted scanners can parse millions of lines of code around the clock, flagging exploitable patterns in minutes. Recent incidents like the Copy Fail and Dirty Frag Linux kernel flaws illustrate how quickly attackers can move from discovery to exploitation, compressing timelines that traditionally spanned months into days or even hours. This acceleration is not limited to open‑source projects; proprietary vendors face the same risk as decompilation and network‑mapping bots leverage the same AI capabilities.

Because the discovery window has shrunk dramatically, the long‑standing 90‑day disclosure policy is losing relevance. Researchers now see waves of duplicate reports within days, and black‑hat actors can weaponize patches before they are widely deployed. Anand’s demonstration of crafting a functional exploit for a patched React vulnerability in 30 minutes underscores the urgency. Organizations can no longer rely on scheduled monthly patch cycles; instead, they must treat critical vulnerabilities as P0 incidents, deploying fixes immediately to stay ahead of AI‑powered adversaries.

To adapt, security teams should embed LLMs into every stage of the software development lifecycle—code push, dependency scanning, and post‑deployment monitoring. Continuous, AI‑augmented testing can surface risky patterns before they reach production, while automated remediation scripts can generate and apply patches in near real‑time. Companies must also revise their disclosure strategies, favoring coordinated, rapid communication with vendors and users. By embracing a proactive, AI‑first security posture, firms can mitigate the heightened threat landscape and preserve trust in both open‑source and commercial software ecosystems.