The 90 Day disclosure policy is dead (blog.himanshuanand.com)

The traditional 90-day responsible disclosure policy is deemed obsolete due to rapid advancements in AI technology, particularly in large language models (LLMs) that have expedited both vulnerability discovery and exploit development. The old model operated under the assumption that bug finders were scarce and that there would be ample time for vendors to patch critical vulnerabilities. However, recent reports indicate that multiple researchers can identify the same bug within weeks, with AI tools enabling swift exploitation of vulnerabilities post-disclosure, thus eroding the efficacy of the disclosure window. This shift is significant for the AI/ML community as it illustrates the need for urgent action in cybersecurity practices. The narrative highlights instances where vulnerabilities were exploited in record time—sometimes merely hours after disclosure—emphasizing that companies can no longer afford to delay patch deployment. To adapt, the industry must treat every critical security issue as a priority, implementing immediate fixes rather than postponing them to later cycles. This new approach reflects a pressing requirement for a more dynamic and responsive vulnerability management framework.