For over a decade, Coordinated Vulnerability Disclosure (CVD) has relied on a foundational agreement: the 90-day disclosure window. It was built on the assumption that bug finders were rare, patch development took time, and reverse-engineering a patch into a working exploit took even longer.
According to a new blog post by security researcher Himanshu Anand, that world is gone. Published just days ago, Anand's article, "the 90 day disclosure policy is dead," serves as a wake-up call to the industry. His core thesis is that Large Language Models (LLMs) have compressed both vulnerability discovery and exploit development timelines to near-zero, rendering traditional CVD embargoes and monthly patch cycles obsolete.
Here at CVDPortal, we constantly analyze the state of vulnerability management. Anand's observations highlight a practical development that every vendor, triage team, and researcher needs to understand.
The End of the Exclusive Finder Assumption
Traditional CVD assumes that when a researcher reports a vulnerability, they are likely the only person who knows about it. A 90-day embargo gives the vendor a safe head start to develop and deploy a fix.
Anand disproves this idea with a recent anecdote: after reporting a critical, easily exploitable bug to a company, triage informed him he was the eleventh person to report the exact same issue within a six-week window.
This phenomenon of simultaneous discovery is driven by LLM-assisted bug hunting. Triage teams are now seeing waves of duplicate reports within days of a vulnerability's initial discovery. The numbers are straightforward: if 10 legitimate researchers found the bug using AI tools, how many malicious actors found it and did not report it?
When AI democratizes bug discovery, the 90-day window stops protecting users and starts giving threat actors a 90-day head start. You cannot coordinate a quiet disclosure when the same vulnerability is being independently rediscovered by automated tools globally.
The Death of the N-Day Gap: 30 Minutes from Patch to Exploit
Historically, when a vendor published a security patch, there was a grace period. It took skilled reverse engineers days or weeks to analyze a patch diff and develop a working n-day exploit.
Anand demonstrated how AI has bypassed this safety net. Looking at a recent batch of React security updates (including CVE-2026-23870, CVE-2026-44575, and others), he fed the patch diffs into an LLM. Within 30 minutes, the AI had analyzed the diff, identified the vulnerable code path, and generated a working Denial of Service (DoS) Proof of Concept (PoC).
As Anand points out: "If you are reading CVE descriptions while attackers are reading git log diff-filter=M, you are already behind. The advisory is a downstream artifact. The patch diff is the signal."
Real-World Chaos: The Week Linux Caught Fire
If you think this is purely theoretical, Anand points to the recent Linux kernel crisis as proof. In late April and early May 2026, two back-to-back critical vulnerabilities affected the ecosystem.
Copy Fail (CVE-2026-31431): A straight-line logic flaw in the kernel crypto subsystem granting root access. Found in just one hour of automated AI scanning by the team at Xint Code. Within days of public disclosure, Iranian nation-state actors were already leveraging it in the wild to build DDoS infrastructure.
Dirty Frag (CVE-2026-43284 and CVE-2026-43500): Just a week later, researcher Hyunwoo Kim published this chained vulnerability. A 5-day embargo was agreed upon with the linux-distros mailing list. The embargo was broken within hours by an unrelated third party who published detailed exploit info. Within 24 hours of disclosure, Microsoft Defender confirmed in-the-wild exploitation, all while zero Linux distributions had a working patch available.
These are not edge cases. They are the new normal.
What This Means for the Future of CVD
For professionals managing Coordinated Vulnerability Disclosure, the takeaways from Anand's article are direct.
Monthly Patch Cycles are an Attack Window
The idea of scheduling a patch for the next maintenance cycle is a relic. If an exploit can be generated 30 minutes after a patch goes public, the maintenance window is now. Every critical security issue must be treated as a P0 and patched immediately.
Embargoes are Fragile
Embargoes rely on containment. When AI allows multiple independent researchers to find the same bug simultaneously, embargoes will inevitably leak or be broken. Vendors must be prepared for zero-day public drops at any moment.
Blue Teams Must Adapt
Bringing manual code review to an AI fight is, as Anand puts it, bringing a clipboard to a gunfight. Defenders must integrate LLMs deeply into their CI/CD pipelines. AI must be used for real-time code review at the point of the pull request, automated dependency scanning, and validating that newly developed patches do not introduce regressions.
Final Thoughts
The cybersecurity industry has changed over the last 12 months. The 90-day disclosure policy was not killed by malice. It was killed by math, automation, and the speed of modern tooling.
At CVDPortal, we think the industry must adjust. Vendors can no longer rely on lengthy disclosure timelines, and researchers should push for the shortest possible disclosure windows. The tools exist to automate the defensive side just as attackers have automated the offensive side. The only question is whether the industry will adapt before the next Dirty Frag hits production environments.
Read Himanshu Anand's full article for a deep dive into the technical specifics, and stay tuned to CVDPortal for ongoing discussions on adapting vulnerability management for the AI era.