AI Turns Patches Into Working Exploits in 30 Minutes, and the 90-Day Disclosure Window Is the Casualty

The rise of generative AI has reshaped the vulnerability lifecycle, compressing what once took weeks into minutes. Language models can ingest a patch diff, generate exploit code, and validate it with minimal human oversight. This capability undermines the long‑standing 90‑day disclosure policy popularized by Google’s Project Zero, which assumed attackers needed substantial time to reverse‑engineer a working exploit after a patch was released. As AI tools become more accessible, the gap between patch publication and exploit availability is vanishing, exposing organizations to immediate risk.

Recent incidents illustrate the speed and scale of the problem. A critical bug in an e‑commerce platform that allowed zero‑price purchases was reported by eleven researchers within six weeks, yet each AI‑enhanced report arrived almost simultaneously, nullifying the notion of a single discoverer. In the React framework case, a language model produced a functional exploit in 30 minutes—an effort that traditionally required days of reverse engineering. The Linux kernel’s "Copy Fail" vulnerability, discovered via an hour‑long AI scan, was weaponized by threat actors within hours, and an attempted five‑day embargo on a related flaw collapsed within the same timeframe. These examples demonstrate that vendors no longer enjoy a comfortable head start, and coordinated embargoes are increasingly untenable.

The implications are clear: security teams must shift from a reactive, schedule‑driven approach to an emergency‑response mindset. Vendors should classify critical vulnerabilities as P0 incidents and allocate resources for immediate patch development, bypassing regular sprint cycles. Researchers need to advocate for shorter, perhaps real‑time, disclosure windows, recognizing that multiple parties can discover the same flaw almost instantly. Administrators must automate rapid patch deployment, integrating AI defensively to scan codebases, validate patches, and monitor for exploit attempts. By embracing AI both as a threat and a defensive tool, the industry can begin to close the accelerating gap between discovery and exploitation.