The 90 Day Disclosure Policy Is Dead
The article argues that the traditional 90-day vulnerability disclosure policy is no longer effective due to advances in AI and large language models (LLMs) that have drastically sped up bug discovery and exploit development. Real-world examples show multiple researchers independently finding the same critical bugs within weeks and exploits emerging minutes after patches are released, leaving no safe window for vendors to patch before attacks occur. The author urges the security industry to treat every critical bug as a top priority for immediate fix and to integrate AI-assisted tools into continuous development and security processes to keep pace with emerging threats.
https://blog.himanshuanand.com/2026/05/the-90-day-disclosure-policy-is-dead/



