90-Day Vulnerability Disclosure Policy Declared Obsolete Due to AI Advancements

90-Day Vulnerability Disclosure Policy Declared Obsolete Due to AI Advancements

First seen 12 May 2026, 15:41 UTC News.YcombinatorGigazine 74% similarity 74.0

Article Content

Browse articles
ThreatCluster

The traditional 90-day vulnerability disclosure policy is deemed ineffective as AI accelerates bug detection and exploitation. Security expert Himanshu Anand highlights that AI tools can convert security patches into working exploits in as little as 30 minutes, undermining the rationale for the lengthy disclosure period. This rapid pace of vulnerability discovery has led to multiple reports of the same critical bugs, such as CVE-2026-43500, being filed simultaneously by different researchers. Anand calls for treating all critical vulnerabilities as top priority (P0) and implementing immediate patches. The monthly patch cycle is also criticized as outdated, as attackers can exploit vulnerabilities faster than the time allowed for fixes. The security industry is urged to adapt to this new reality to protect systems effectively.

Key Points: • The 90-day vulnerability disclosure policy is now considered obsolete due to AI advancements. • AI tools can turn security patches into exploits in as little as 30 minutes. • Multiple researchers reported the same critical vulnerabilities simultaneously, indicating a need for immediate action.

ThreatCluster AI

Timeline

2026-05-01
CVE-2026-31431 added to CISA KEV
This vulnerability was marked for active exploitation, raising alarms in the security community.
Gigazine
2026-05-06
CVE-2026-23870 published
Another critical vulnerability was disclosed, highlighting ongoing security challenges.
Gigazine
2026-05-08
CVE-2026-43284 published
A new critical vulnerability was disclosed, further emphasizing the need for immediate patching.
Gigazine
2026-05-08
Public exploit for CVE-2026-44578 released
A proof-of-concept exploit appeared on GitHub, lowering the barrier for opportunistic attackers.
GitHub
2026-05-09
First public PoC for CVE-2026-43500
A proof of concept for a critical vulnerability was released, showcasing its exploitability.
News.Ycombinator

Community

Browse all →