LLM-assisted bug hunting makes 90-day disclosure window obsolete

LLMs have collapsed the time between patch publication and working exploit from days or weeks to roughly 30 minutes. The 90-day responsible disclosure standard is no longer viable, nor are monthly patch cycles.

Security researcher Himanshu Anand made the case in a blog post published May 9. His demonstration: after React shipped patches for five CVEs (CVE-2026-23870, CVE-2026-44575, CVE-2026-44579, CVE-2026-44574, CVE-2026-44578), Anand fed the patch diff to an LLM on a local test environment. Thirty minutes later he had a working denial-of-service proof of concept. "AI did most of the heavy lifting: understanding the diff, identifying the vulnerable code path, writing the PoC," he wrote.

Exploit speed compounds with discovery convergence. Anand reported a critical payment-bypass vulnerability to an unnamed e-commerce vendor — an unsigned server response that allowed purchasing a $5,000 item for $0 — and learned he was reporter number eleven. All eleven had independently found the same bug within roughly six weeks using LLM-assisted workflows. Bug-bounty triage engineer @d0rsky corroborated the pattern: "Once a new vulnerability is discovered — especially via some LLM prompt/skills/automation, we start getting a wave of duplicate reports within days. Same root cause, slightly different wording." His follow-on question cuts to the operational risk: "If researchers can replicate these findings so quickly, what's stopping blackhats from doing the same before the issue is fixed?"

The Linux kernel provided a case study in April. Two privilege-escalation vulnerabilities — Copy Fail and Dirty Frag, both targeting insecure zero-copy mechanisms — hit every major distribution in quick succession. Dirty Frag was disclosed publicly in just over a week, far short of the 90-day standard. The implicit acknowledgment: if the exploit is already circulating, disclosure delay offers no protection.

For enterprise security teams, the implication is direct. Monthly patch cycles assume attackers move slower than the release train. That assumption no longer holds. Every critical vulnerability should be classified as a P0 incident and patched immediately, not deferred to the next maintenance window. CTOs running infrastructure on standard cadences are operating on a security model that predates the current threat by several years.

Defenders must match the attacker's toolkit. Anand recommends integrating LLMs directly into code-push pipelines, dependency checks, and deployment gates — using the same pattern-recognition advantage that attackers exploit. Most security exploits stem from recurring bad programming patterns. An LLM running 24/7 catches those patterns faster than manual review. Anthropic's security research team tested Claude Opus 4.6 against well-fuzzed open-source codebases — projects with years of accumulated fuzzer CPU-hours — and found and validated more than 500 high-severity vulnerabilities without custom tooling or specialized prompting, some undetected for decades.

Open-source software presents a particular paradox. Public code visibility has historically enabled rapid community patching. LLMs invert that: the same openness hands attackers a complete, machine-readable attack surface. Mozilla shipped 423 security fixes in April alone, demonstrating fast patch distribution is achievable in OSS. Closed-source vendors face the additional surface of decompilation and network scanning, which LLMs handle with the same efficiency as source analysis.

The 90-day window was designed for a world where exploit development required skilled reverse engineers working over days. That world is gone. Security teams that have not moved to continuous runtime monitoring and on-demand patching are running a deprecated process.