Frontier AI models dismantle 90-day security window by weaponizing patches in thirty minutes

For nearly a decade, the cybersecurity industry has operated under a fragile but effective truce known as coordinated disclosure. This standard, popularized by initiatives like Google’s Project Zero, typically gives software vendors a 90-day window to fix a vulnerability before technical details are made public.[1][2][3] The logic was simple: human researchers are rare, exploit development is a slow, artisanal craft, and a three-month head start allows defenders to secure the world’s infrastructure before attackers can react. However, recent advancements in large language models have effectively dismantled the foundations of this model. Security researchers now warn that the 90-day window has become a liability rather than a safeguard, as AI tools demonstrate the ability to turn security patches into working exploits in as little as 30 minutes.[2][3]

The collapse of this traditional timeline is being driven by the sheer speed at which AI can process code and identify logic flaws. Veteran security researcher Himanshu Anand, a firewall analyst at Cloudflare and a multi-year DEF CON hacking finalist, recently demonstrated how the advent of frontier AI models has fundamentally altered the threat landscape. In a series of experiments involving recently patched vulnerabilities in the React framework, Anand showed that an AI assistant could analyze a patch diff—the record of changes made to fix a bug—and generate a functional exploit for unpatched systems in half an hour. This process, known as n-day exploitation, historically required highly skilled reverse engineers to spend days or weeks laboring over binary code.[3] By automating the most tedious parts of this process, AI has reduced the safety margin for system administrators from weeks to minutes.[4]

This shift undermines the four core assumptions that have supported the 90-day disclosure era. First, the industry long assumed that the person who found a bug was likely the only one who had spotted it.[3][2] Second, it was assumed that even if others found the same flaw, they would work at their own independent pace.[2][3] Third, vendors believed they had a comfortable lead in writing and distributing a patch.[2][3] Finally, it was accepted that even after a patch was released, attackers would need significant time to reverse-engineer a working exploit.[2][3] Data from early 2026 suggests every one of these assumptions is now false.[3] AI discovery tools are so efficient that multiple researchers and state-sponsored groups are now finding the same vulnerabilities almost simultaneously. In one recent case involving a Linux kernel flaw, a dozen different reporters identified the same critical bug within a six-week period, leading to a breakdown in the embargo as information leaked across the research community.

The sheer capability of these new models is exemplified by Anthropic’s Claude Mythos, an AI engine developed under the restricted Project Glasswing initiative. While the model is not available to the general public due to its dual-use risks, its performance metrics have sent shockwaves through the cybersecurity industry.[5] In internal testing, Mythos achieved an 83.1 percent success rate on CyberGym tasks, which involve finding and exploiting novel vulnerabilities without human guidance. It also scored a perfect 100 percent on the Cybench benchmark across categories including binary exploitation, reverse engineering, and cryptography.[5] Perhaps most concerning was the model's ability to identify "forever-days"—vulnerabilities that have existed in code for decades. Mythos independently discovered a 17-year-old remote code execution flaw in the FreeBSD NFS server and a 16-year-old vulnerability in the FFmpeg codec, both of which had survived years of human review and automated fuzzing.

This "industrialization" of exploit development means that the gap between a patch being published and a threat being weaponized is effectively closing. Historical data from firms like Mandiant shows that a decade ago, the average window between disclosure and exploitation was roughly 63 days.[5] By 2024, that window had shrunk to five days.[5] In the current environment, the timeframe is often measured in hours. This creates an impossible situation for IT departments that still rely on monthly "Patch Tuesday" cycles. When an AI can scan the entire Linux crypto subsystem and produce a root-level exploit script in an hour—as was seen with the "Copy Fail" vulnerability—a 30-day maintenance window is no longer a management strategy; it is an open invitation for a breach.

The implications for the AI industry and the broader corporate world are profound. Security leaders are now advocating for a "prevention-first" mindset that treats every critical vulnerability as a Tier-0 emergency. The consensus among experts is shifting toward the idea that 90-day windows are "dead" because they no longer protect the user; instead, they provide a period of exposure during which attackers can refine their tools. Some researchers are calling for a move toward near-instant disclosure once a patch is ready, alongside the adoption of automated patching systems that can match the speed of AI-driven attacks.[5][2] If an attacker can weaponize a patch in 30 minutes, the defender must be able to deploy it in 15.

Furthermore, the rise of autonomous AI agents is complicating the ethics of vulnerability reporting. Programs like Google’s "Big Sleep" and Anthropic’s "Project Glasswing" have successfully found dozens of zero-day vulnerabilities in open-source projects, but the volume of these reports is beginning to overwhelm maintainers. Small teams of volunteer developers are suddenly faced with a firehose of AI-generated security reports, many of which include complex exploit chains that require immediate attention. This has led to calls for the AI industry to provide not just the reports, but also AI-powered defensive tools to help these maintainers validate and fix the code at the same machine speed.

As AI models continue to evolve, the distinction between a researcher and an attacker will become increasingly blurred by the tools they share. The era of "artisanal" hacking, where a human expert might spend months on a single exploit, is giving way to a world of commodity-scale exploitation.[5][6] In this new landscape, the 90-day disclosure window is a relic of a slower, more predictable past.[5][3][7] For the technology industry to survive this transition, it must move away from the "safety by schedule" approach and embrace a model of continuous, rapid response. The maintenance window is no longer the third Tuesday of the month; in the age of AI, the maintenance window is now.

In conclusion, the acceleration of exploit generation from 90 days to 30 minutes represents a permanent shift in digital power dynamics. The traditional disclosure process was built for human speeds, but the current threat landscape is defined by the capabilities of frontier AI models.[5][8] As these tools become more accessible and autonomous, the industry must prepare for a future where vulnerabilities are discovered, reported, and exploited in a single afternoon. The casualty of this progress is the luxury of time. Organizations that fail to adapt their security workflows to this compressed timeline will find themselves increasingly vulnerable to a new class of high-speed, AI-augmented threats. The cybersecurity community must now decide whether to cling to the broken protocols of the past or build a new framework of defense that can operate at the speed of the models themselves.