90-Day Vulnerability Disclosure Policy Declared Obsolete Due to AI Advancements

Severity: High (Score: 74.0)

Sources: News.Ycombinator, Gigazine

Summary

The traditional 90-day vulnerability disclosure policy is deemed ineffective as AI accelerates bug detection and exploitation. Security expert Himanshu Anand highlights that AI tools can convert security patches into working exploits in as little as 30 minutes, undermining the rationale for the lengthy disclosure period. This rapid pace of vulnerability discovery has led to multiple reports of the same critical bugs, such as CVE-2026-43500, being filed simultaneously by different researchers. Anand calls for treating all critical vulnerabilities as top priority (P0) and implementing immediate patches. The monthly patch cycle is also criticized as outdated, as attackers can exploit vulnerabilities faster than the time allowed for fixes. The security industry is urged to adapt to this new reality to protect systems effectively. Key Points: • The 90-day vulnerability disclosure policy is now considered obsolete due to AI advancements. • AI tools can turn security patches into exploits in as little as 30 minutes. • Multiple researchers reported the same critical vulnerabilities simultaneously, indicating a need for immediate action.

Key Entities

• DDoS (attack_type)
• CVE-2026-23870 (cve)
• CVE-2026-31431 (cve)
• CVE-2026-43284 (cve)
• CVE-2026-43500 (cve)
• CVE-2026-44574 (cve)
• T1021.004 - SSH (mitre_attack)
• T1068 - Exploitation for Privilege Escalation (mitre_attack)
• T1070 - Indicator Removal (mitre_attack)
• AlmaLinux (platform)
• CentOS Stream (platform)
• Linux (platform)
• RHEL (platform)
• Fedora (company)
• OpenSUSE (company)
• Ubuntu (company)
• Copy Fail (vulnerability)
• Dirty Frag (vulnerability)