AI turns patches into working exploits in 30 minutes, and the 90-day disclosure window is the casualty

Language models can now reverse-engineer working exploits from security patches in roughly 30 minutes, upending the cybersecurity industry's standard vulnerability disclosure timeline.

Researchers have demonstrated that AI systems can analyze patched code, identify the underlying vulnerability, and develop functional exploit code far faster than traditional manual analysis. This capability compresses what historically took weeks of work into a half-hour window, creating a critical mismatch with the industry's 90-day coordinated disclosure standard.

The 90-day window emerged decades ago as a compromise between security researchers and vendors. It gave companies enough time to develop and deploy patches while preventing perpetual secrecy around known flaws. But AI acceleration breaks this balance. When a vendor patches a vulnerability, sophisticated threat actors can use language models to instantly weaponize that patch into a working exploit, often before many users have deployed the fix.

A veteran security researcher quoted in the reporting argues the disclosure framework requires fundamental change. The current system assumes human researchers need substantial time to extract vulnerability details from patches. That assumption no longer holds. Even moderate AI capabilities can perform reverse-engineering at machine speed, meaning the 90-day grace period now favors attackers rather than defenders.

The implications ripple across enterprise security. Organizations can no longer assume they have 90 days to apply critical patches. Threat actors gain functional exploits almost immediately after patches ship. The window for safe deployment shrinks dramatically.

Security teams face a stark choice: patch faster or accept higher breach risk. But many organizations lack resources for immediate, company-wide patching. Legacy systems, testing requirements, and operational constraints create genuine barriers to instant deployment.

The research suggests the industry needs accelerated timelines for critical vulnerabilities, potentially compressed to 30 days or less. Some argue for hybrid models where vendors receive longer windows for low-risk flaws but face immediate release requirements for critical ones. Others propose AI-