The 90 Day disclosure policy is dead
4 hours ago
- #responsible-disclosure
- #artificial-intelligence
- #cybersecurity
- The 90-day disclosure policy is outdated because AI tools enable more rapid discovery and exploitation of vulnerabilities.
- Multiple independent researchers can now simultaneously find the same critical bugs within weeks, as LLMs assist bug hunters.
- Exploit development from patch analysis is accelerated, reducing the timeline to mere minutes.
- Real-world examples like 'Copy Fail' and 'Dirty Frag' Linux vulnerabilities show immediate weaponization post-disclosure.
- Embargoes can be broken swiftly, and public exploits can emerge even before patches are available.
- The author calls for treating critical vulnerabilities as P0 emergencies, demanding immediate fixes.
- Blue teams must adopt AI into workflows for proactive scanning, patch analysis, and automated security testing.
- Monthly patch cycles and traditional vulnerability management are insufficient; real-time responses are essential.