The 90 Day disclosure policy is dead
unknownhad
16 points
3 comments
May 09, 2026
Related Discussions
Found 5 related stories in 600.3ms across 14,015 title embeddings via pgvector HNSW
- 1k Data Breaches Later, the Disclosure Lag Is Worse 882542F3884314B · 52 pts · June 08, 2026 · 49% similar
- Cursor 0day: When Full Disclosure Becomes the Only Protection Left Synthetic7346 · 310 pts · July 14, 2026 · 47% similar
- Microsoft Disclosure Provides Rare Glimpse of Tax Haven Tactics JumpCrisscross · 29 pts · July 06, 2026 · 43% similar
- Microsoft Disclosure Provides Rare Glimpse of Tax Haven Tactics 1vuio0pswjnm7 · 13 pts · July 04, 2026 · 43% similar
- Notice of Obsolescence ggaughan · 20 pts · April 28, 2026 · 42% similar
Discussion Highlights (2 comments)
unknownhad
The 90 day responsible disclosure window was built for a world where bug finders were rare and exploit development was slow. That world is gone. LLMs have compressed both timelines to near-zero. I have seen it first hand, and so has everyone else paying attention. This post lays out why the old model is broken, with real stories, and makes one ask to the industry: treat every critical security issue as P0 and patch it immediately.
pessimizer
I don't think this makes any sense. I can see that long delays in public reporting might not be good for the near future, but a year from now all of the easily found stuff will have been found. At some point, everything will have hardened to a certain extent, new things will get scanned before they hit the streets, and the only bugs being found will rely a lot more on somebody's insight than the LLM used to test that insight. I think people are getting overly impressed/intimidated by tons of bugs being found by LLMs in a bunch of code that hasn't been looked at by more than a couple of people in years, or even at all since it was written. Those are going to run out. There won't be any code left that hasn't recently been looked over by an LLM.