Deepthix .
← Retour au blog
tech 11 May 2026

The 90 Day Disclosure Policy is Dead

The 90-day responsible disclosure policy, once a cornerstone of cybersecurity, is now obsolete. With AI tools compressing the timelines for bug discovery and exploitation to nearly zero, companies must rethink their vulnerability management strategies.

Article inspired by the original source
the 90 day disclosure policy is dead ↗ blog.himanshuanand.com

Introduction

The cybersecurity world has long operated under the 90-day responsible disclosure policy. This standard, established to give companies time to fix vulnerabilities before they are made public, now seems out of step with reality. Why? Rapid advancements in artificial intelligence (AI) have turned the equation upside down, rendering obsolete the assumptions that underpinned this approach.

The Old Standard

Imagine it's 2019. When a researcher discovers a critical bug, they follow a well-trodden process: write a report, send it to the vendor, and grant them a 90-day grace period to fix the issue before it goes public. This timeline assumed the researcher was likely the only one who found the bug and that attackers would take days or weeks to exploit it. These assumptions are now relics of the past.

AI's Impact on Security

Large language models (LLMs), powered by AI, have dramatically transformed the landscape. Take a classic example: a bug is discovered, and within hours, an AI model can not only replicate this bug but also suggest ways to fix or exploit it. This rapid execution obliterates the 90-day grace period.

Concrete Example: An Exploit in 30 Minutes

Recently, a vulnerability was discovered in a popular software. Less than an hour after the patch was released, attackers had already reversed the patch to create a functional exploit. This phenomenon, once rare, is becoming increasingly common, highlighting the urgency of an immediate response to security flaws.

What Needs to Change

In light of this new reality, companies must adopt a more proactive approach. Every critical vulnerability must be treated as a Priority Zero (P0). This means: no delays, no waiting until the next development sprint. Patches must be deployed as soon as possible.

Strategies to Adapt

  1. Automated Patching: Use automated tools to quickly deploy patches as soon as they become available.
  2. Continuous Assessment: Implement continuous assessment systems to identify and fix vulnerabilities in real-time.
  3. Increased Collaboration: Encourage close collaboration between development and security teams to ensure a rapid and effective response.

Conclusion

The 90-day disclosure policy is indeed dead. Companies must be prepared to act quickly and effectively to protect their systems and data. Ignoring this necessity could have disastrous consequences.

Let's discuss your project in 15 minutes.

disclosure cybersecurity AI vulnerability automation
Deepthix newsletter · 100% AI · every Monday 8am

An AI agent reads tech for you.

Our AI agent scans ~200 sources per week and ships the best articles to your inbox Monday 8am. Free. One click to unsubscribe.

Visit the newsletter page →

Want to automate your operations?

Let's talk about your project in 15 minutes.

Book a call