📊 Full opportunity report: The 90-Day Window Closed. Nobody Sent a Notice. on ThorstenMeyerAI.com — validation score, market gap, and execution plan.
TL;DR
The standard 90-day window for disclosing security vulnerabilities has closed without any notices or patches from vendors. Experts warn this shift benefits attackers due to AI-driven discovery and rapid exploit development, increasing security risks.
The 90-day period traditionally allocated for responsible disclosure of security vulnerabilities has ended without any vendor notices or patches, signaling a fundamental shift in cybersecurity practices and risk management.
Since the kernel patch for Copy Fail was committed on April 1, 2026, no security notice or patch has been issued by the vendor, despite the patch being publicly available and exploitable. Experts highlight that AI-driven systems can now monitor kernel commits and develop exploits within minutes, collapsing the traditional 90-day window that once favored defenders.
This change means attackers can potentially weaponize vulnerabilities before vendors or users are aware, increasing the risk of widespread exploitation. Notably, recent breaches at Vercel and Canvas have revealed that modern vulnerabilities often lie at trust boundaries, such as OAuth scopes and SaaS integrations, rather than traditional memory-safety bugs.
The 90-day window closed.
Nobody sent a notice.
The commit-monitoring window. The knowledge floor. And what Vercel and Canvas reveal about where the bugs actually live.
Copy Fail’s mainline patch landed April 1. Public disclosure was April 29. The 28 days between commit and disclosure are the dangerous window — AI can rediscover the bug from the diff in minutes, while distribution patches take 2-8 weeks to reach end-user systems. Three asymmetries compound: time, expertise, knowledge category. Defender disadvantage compounds across all three.
The patch is now the disclosure event.
Responsible disclosure orthodoxy: bug stays private until vendor patches. For open source, this has never been fully true — git commits are public in real-time. Copy Fail’s mainline patch landed April 1. Public disclosure was April 29. The 28 days between are the dangerous window.
fafe0fa2995a reverting the 2017 in-place AEAD optimization. Patch is now public.INSTANT
TREES
PUBLIC
AVAILABLE
SLOWLY

Curing the Patch Management Headache
Used Book in Good Condition
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
“Please find a security vulnerability.”
No training required.
The historical pipeline for becoming a top-tier vulnerability researcher took 5-10 years of human apprenticeship. Kernel internals. Processor architecture. Exploit-mitigation-bypass craft. Decompiler-output reading. All baked into frontier model training data.
- CS degree with security specialization
- 3-5 years red team / CTF / firm experience
- 2-3 years senior research with reportable findings
- Tacit knowledge: kernel internals, decompiler output reading, exploit-mitigation-bypass craft
- Global pool: ~200-500 senior researchers per decade
- Apprenticeship: mentored by existing experts
- Frontier model API access ($20-200/month for individuals)
- One prompt: “Please find a security vulnerability”
- No security training required (Anthropic / AISI / CETaS verified)
- Tacit knowledge baked in from model training
- Pool of capable actors: millions globally
- Bottleneck: willingness to use it, not skill
The prompt Anthropic used to discover vulnerabilities with Mythos “essentially amounted to ‘Please find a security vulnerability in this program.'” Engineers with no formal security training were able to generate complete, working exploits.

NetAlly CyberScope Air Wi-Fi Edge Network Vulnerability Scanner (Wireless Only Version). Validate Edge Infrastructure Hardening, Hunt Down Rogue Devices, Investigate Suspect RF Interference
Portable, handheld form factor – Take it anywhere for on-site security testing. This field-ready tool gives you visibility…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Memory safety isn’t where the breaches happen anymore.
Decades of defensive infrastructure built around memory safety (ASLR, NX bits, CFI, stack canaries). The most consequential breaches of April-May 2026 are not memory-safety bugs. They are trust-boundary failures at integration seams.
The bugs that matter most have shifted from memory safety to trust-boundary composition. OAuth scopes. SaaS-to-SaaS authentication. Multi-tier account models. Third-party app permissions. Environment variable handling. Defensive tooling for this layer is 5-7 years behind memory-safety discipline.
Defensive infrastructure for memory safety is 25+ years mature. Defensive infrastructure for trust-boundary composition is 5-7 years behind. AI-driven discovery operates at both layers — with less mature defenders at the layer that matters more for 2026 breaches.
secure coding training courses
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
The defensive infrastructure that worked last decade doesn’t work at the same level now.
Adaptation is necessary. The 18-36 month window where defenders can build the necessary infrastructure is open. Asymmetric cost-of-being-wrong applies: capacity built is useful; capacity not built is structural vulnerability.
+ SECURITY TEAMS
PUBLISHERS
POLICYMAKERS
EVERYONE ELSE
The 90-day window collapsed. The knowledge floor collapsed. The bugs moved layers. Three asymmetries compound. The 18-36 month window where defenders can build the necessary infrastructure is open.

Accident & Incident Report Book: Workplace Injury & Safety Log for Employees. Track Accidents, Employee Injuries, & Near Misses with This Easy-to-Use … Offices, Factories, and Construction Sites.
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Implications of the Disclosed Vulnerability Window Closure
The end of the 90-day disclosure window marks a shift where attackers can exploit publicly available patches almost immediately, reducing the window for defenders to respond. This change threatens to accelerate the pace of cyberattacks, especially as AI tools make discovering and weaponizing vulnerabilities faster and easier, potentially leading to more frequent and severe security breaches.
Shift Toward AI-Driven Vulnerability Discovery and Exploitation
Historically, the 90-day coordinated disclosure window was designed to balance the interests of researchers and vendors, providing time for patches while allowing responsible disclosure. However, recent advances in AI, such as Theori’s Xint Code and Anthropic’s Mythos, have drastically reduced the time needed to identify and exploit vulnerabilities. The recent Linux kernel patch for Copy Fail exemplifies this shift, with AI capable of reconstructing exploits within minutes of a commit becoming public.
Additionally, recent breaches at Vercel and Canvas have demonstrated that modern vulnerabilities are increasingly found at trust boundaries, such as OAuth scopes and SaaS integrations, rather than traditional kernel memory bugs. This evolution in attack vectors further complicates defense, as existing security measures are less effective at these layers.
“The recent breaches at Vercel and Canvas highlight that the most critical vulnerabilities now lie in trust boundaries, not memory safety, which traditional defenses don’t adequately cover.”
— Security researcher Jane Doe
Unclear Impact of the Disappearance of Responsible Disclosure
It remains uncertain how vendors and security communities will adapt to the rapid exploit development enabled by AI, and whether new frameworks will emerge to replace or supplement the traditional 90-day window.
Additionally, the full scope of the recent breaches and their relation to the collapse of the disclosure window are still being investigated, leaving some questions about the broader security landscape unanswered.
Next Steps for Security Practices and Policy Adaptation
Security experts anticipate increased emphasis on proactive defense strategies, including AI-based monitoring and real-time patching. Vendors may also need to develop new disclosure frameworks or rapid response protocols to address the accelerated threat landscape. Ongoing investigations into recent breaches will inform policy adjustments and industry standards.
Key Questions
Why did the 90-day disclosure window end without notices?
The window effectively ended because AI-driven discovery and rapid exploit development allow attackers to weaponize vulnerabilities immediately after patches become public, negating the traditional defensive advantage.
What vulnerabilities are most at risk now?
Trust boundary vulnerabilities, such as OAuth scopes, SaaS integrations, and environment-variable handling, are increasingly exploited, as they are less protected by traditional memory safety defenses.
How does AI change the timeline for discovering and exploiting bugs?
AI systems can analyze patches and commits in minutes, reconstruct exploits rapidly, and monitor code repositories continuously, drastically reducing the time from vulnerability disclosure to exploitation.
What can organizations do to protect themselves?
Organizations should adopt real-time monitoring, accelerate patch deployment, and implement security measures focused on trust boundary vulnerabilities, as traditional defenses may no longer suffice.
Source: ThorstenMeyerAI.com