For over a decade, Coordinated Vulnerability Disclosure (CVD) has relied on the 90-day disclosure window. Security researcher Himanshu Anand argues that LLMs have rendered this framework obsolete by compressing both vulnerability discovery and exploit development to near-zero timelines.
The End of the Exclusive Finder Assumption
After reporting a critical bug, Anand was told he was the eleventh person to report the same issue within six weeks. LLM-assisted bug hunting now drives waves of simultaneous discovery, making quiet embargoes impossible to maintain.
30 Minutes from Patch to Exploit
Anand fed React security patch diffs into an LLM and produced a working Denial of Service PoC within 30 minutes. The n-day gap that once gave defenders days or weeks has collapsed.
The Week Linux Caught Fire
Copy Fail (CVE-2026-31431) was found by automated AI scanning in one hour. Iranian nation-state actors leveraged it within days. Dirty Frag (CVE-2026-43284) had its 5-day embargo broken within hours, with in-the-wild exploitation confirmed before any Linux distribution had a working patch.
What Must Change
- Monthly patch cycles are an attack window. Every critical issue must be a P0.
- Embargoes are fragile. Vendors must be prepared for zero-day public drops at any moment.
- Blue teams must integrate LLMs into CI/CD for real-time code review, dependency scanning, and patch regression testing.
Read the full analysis on our blog.
Read More