Why the 90‑Day Vulnerability Disclosure Policy Is Effectively Dead

Four Assumptions That Made the 90‑Day Policy Work

The 2014 Google Project Zero window relied on four "never‑changing" assumptions: (1) vulnerability researchers are scarce; (2) exploit development takes weeks; (3) the discoverer is the sole holder of the flaw; and (4) patch rollout needs time.

All four have collapsed by 2026.

Story 1: Six Weeks, Eleven Reporters

Researcher Himanshu Anand reported a payment‑interface bug that allowed zero‑price purchases of $5,000 items. The vendor replied, "This vulnerability was disclosed in March; you are the 11th reporter." Within six weeks, eleven independent researchers had found the same issue.

Another researcher, @d0rsky, observed that AI‑assisted scanning floods vendors with duplicate reports in days, and attackers can exploit the same findings before patches are applied.

This invalidates Assumption 3: the “polite” 90‑day window no longer protects anyone when dozens know the flaw.

Story 2: 30 Minutes from Patch to Exploit

After React Security published several CVEs with full patch notes, Anand asked how long it would take to reverse‑engineer a working exploit. The answer: 30 minutes.

AI performed the heavy lifting—diff analysis, vulnerable code path identification, and PoC generation—producing a functional DoS exploit. In the past, this would have required days to weeks.

Thus Assumption 2 (weeks for exploit development) is broken; the moment a patch is public, an exploit already exists.

Story 3: Two Weeks, Two Linux Kernel Fires

Act 1: Copy Fail

On 29 April, Xint Code disclosed CVE‑2026‑31431 (Copy Fail), a deterministic kernel‑encryption bug exploitable with a one‑line command: curl | python3 && su The exploit gained root on every major distro released since 2017. Researcher Taeyang Lee used AI to expand a manual audit that would have taken weeks into a one‑hour effort, leading to rapid weaponization by an Iranian threat actor.

Act 2: Dirty Frag

On 7 May, researcher @v4bel released Dirty Frag (CVE‑2026‑43284 and CVE‑2026‑43500), affecting IPSec ESP and RxRPC modules across all mainstream Linux distributions. Even systems patched for Copy Fail remained vulnerable.

The embargo was broken within hours by a third party, forcing an early public disclosure while no upstream patches existed. Only CVE‑2026‑43284 later received a mainline fix; CVE‑2026‑43500 still lacks a patch, yet a full exploit runs on all platforms.

Microsoft Defender observed field exploitation within 24 hours, with attackers gaining SSH access, deploying ELF binaries, and moving laterally.

This shatters Assumption 4: patches are unavailable at disclosure time, rendering the 90‑day window meaningless.

Industry Debate: Policy Dead or Norm Still Valuable?

Pro: No Reform Needed, Policy Is Dead

Analysts claim AI makes the rule protect nothing; it is merely a polite label.

Comments on Lobste.rs describe responsible disclosure as a “polite fiction” exposed by LLMs.

Open‑source advocate Trevor argues that embargoes contradict the transparent nature of open code.

Con: Social Norms Remain an Anchor

Opponents argue that norms keep researchers and vendors aligned and that small projects cannot afford rapid, simultaneous disclosures.

Jeremy Stanley notes a paradox: maintainers must use public LLM services to handle embargoed bugs, creating additional risk.

Regulatory Lag: Rules Chase but Can't Catch Up

Google Project Zero Policy Drift

2014: 90‑day window introduced

2020: Added "90+30" (90‑day fix + 30‑day rollout)

Aug 2025: Announced one‑week public disclosure while keeping 90+30

Apr 2026: Added "patch buffer" consideration

Each change reflects concession to reality rather than prevention.

NIST/NVD’s "Other Shoe Drops"

In April 2026, NIST’s NVD reduced low‑priority analysis staff after a 263 % surge in CVE submissions, highlighting infrastructure strain.

FIRST Warning and HackerOne Pause

At Vulnerability Conference 26, FIRST warned of an "AI vulnerability tsunami"; HackerOne paused bounty programs citing an imbalance between discovery and remediation.

EU Push and US Cutback

The EU’s Cyber Resilience Act and NIS2 mandate 24‑hour early warning and 72‑hour notification, while the US side trims services, illustrating divergent regulatory trajectories.

What Comes Next?

Researcher Anand urges treating every critical vulnerability as P0—fix immediately, not within a sprint or after impact assessment.

Key recommendations for security teams:

Real‑time vulnerability management : shift from weekly scans to hour‑scale response.

AI‑assisted code review in CI/CD : run AI checks on every push, merge, and deploy.

Patch‑diff analysis pipelines : automatically fetch upstream diffs, assess impact, and prioritize within minutes.

Patch verification before release : use AI to confirm fixes and detect regressions before public disclosure.

The death of the 90‑day policy is gradual and structural; AI has broken every original assumption, accelerating discovery, exploit creation, and parallel reporting while patches lag behind.