The 90-day vulnerability disclosure policy is no longer meaningful, as AI is accelerating bug detection and exploit development.
The '90-day vulnerability disclosure rule,' established by Google's vulnerability research team '
the 90 day disclosure policy is dead :: Himanshu Anand :: Threat Notes
https://blog.himanshuanand.com/2026/05/the-90-day-disclosure-policy-is-dead/
The '90-Day Vulnerability Disclosure Rule' is a vulnerability disclosure policy that Google's security team, Project Zero, has been actively promoting since around 2014. It stipulates that when a software vulnerability is discovered, the developer must be promptly notified and given a 60-90 day grace period to create and distribute a patch. If a patch is not distributed by the end of the grace period, the rule ensures that users are not left at risk by publicly disclosing the discovery of the vulnerability on Project Zero's official blog.
What is 'Project Zero,' the dream team comprised of Google's most brilliant bug hunters and hacking prodigies? - GIGAZINE
This rule, which encourages companies to respond quickly, has become established in the security industry as a prime example of 'responsible disclosure' and has been adopted by many IT companies and research communities. However, Anand points out that 'the era in which this rule can be applied is over.'
According to Anand, the rule granting a 90-day grace period was created during a time when bug reports were rare, and developing exploits to attack using discovered bugs took time. For example, if a critical bug was discovered around 2019, it was very rare for others to have discovered the same bug, and if reported to the company, there was little chance that the bug would be exploited before a patch could be applied within the 90-day grace period.
However, in modern times, highly advanced coding AI has made it possible to find bugs and develop exploits in a very short amount of time. There are often cases where reporting a critical bug results in dozens of identical reports, and considering that not only well-intentioned reporters are discovering the same bugs, Anand pointed out that the 90-day grace period is 'a 90-day lead time for malicious discoverers to exploit the bug.'
As a concrete example, Anand recounts his experience of experimenting with how much effort it takes to translate a security patch into a working exploit by looking at a blog post about a resolved security issue. He says that in the past, understanding the patch, identifying the vulnerability, and converting it into a working exploit would have taken several days to several weeks, but by using AI, it could be completed in 30 minutes.
Therefore, Anand states, 'The 90-day vulnerability disclosure rule doesn't need reform or tweaking; it's a dead rule. If AI makes bug detection and exploitation incredibly fast, what exactly is this rule protecting?'
Furthermore, for the same reasons, the 'monthly patch cycle,' which involves implementing security updates every month, is also considered dead. The monthly patch cycle, which gives up to a 30-day grace period for fixing vulnerabilities after their discovery, was based on the assumption that attackers' cycles for releasing exploits were slower than that.
Anand states that instead of the outdated 90-day rule, it's necessary to 'treat every bug as a top priority 'P0' and apply patches immediately.' He says that even if it sounds like an unreasonable demand, 'as soon as a security issue is reported, work on fixing it immediately and complete it within a few hours' is the only solution.
Related Posts:
