The 90-Day Window Closed. Nobody Sent a Notice.
Up next
Author
Share article
The post has been shared by 0 people.
Facebook 0
X (Twitter) 0
Pinterest 0
Mail 0

📊 Full opportunity report: The 90-Day Window Closed. Nobody Sent a Notice. on ThorstenMeyerAI.com — validation score, market gap, and execution plan.

TL;DR

The traditional 90-day window for responsible disclosure has effectively closed without any vendor notices. AI advances now allow exploits to be developed rapidly after patches are published, shifting the security landscape.

The 90-day window for responsible disclosure has officially closed without any vendor notices or patches following recent security disclosures, signaling a fundamental shift in cybersecurity dynamics. This development underscores the growing power of AI-driven tools to rapidly discover and exploit vulnerabilities, making traditional defense timelines obsolete.

The 90-day coordinated disclosure period, established in the early 2000s and popularized by Google Project Zero in 2014, was designed to give vendors time to patch security flaws before public disclosure. This window depended on the assumption that reverse engineering patches takes time and that attackers need additional time to develop exploits after patches are released. However, recent advances in AI, exemplified by tools like Theori’s Xint Code, have collapsed these assumptions. In April 2026, a Linux kernel patch addressing the Copy Fail vulnerability was committed on April 1. By April 29, when the disclosure was made public, AI systems monitoring kernel commits could have reconstructed the exploit within minutes, not days. This means attackers could have weaponized the vulnerability before the vendor issued any notice or patch, rendering the traditional 90-day window ineffective. Furthermore, recent high-profile breaches at Vercel and Canvas/Instructure have revealed that the most critical vulnerabilities now lie in trust boundary failures—such as OAuth scopes and SaaS-to-SaaS integrations—areas where defensive measures like memory safety protections are less effective. The collapse of the knowledge floor, enabled by AI, means even engineers without security specialization can generate working exploits, drastically changing the threat landscape.
The 90-Day Window Closed. Nobody Sent a Notice.
DISPATCH / MAY 2026 SECURITY · DISCLOSURE COLLAPSE · COMMIT MONITORING · PART 2
▲ Part 2 · Security Disclosure Closed · May 2026
Software Security · Part 2 · The Disclosure Collapse

The 90-day window closed.
Nobody sent a notice.

The commit-monitoring window. The knowledge floor. And what Vercel and Canvas reveal about where the bugs actually live.

Copy Fail’s mainline patch landed April 1. Public disclosure was April 29. The 28 days between commit and disclosure are the dangerous window — AI can rediscover the bug from the diff in minutes, while distribution patches take 2-8 weeks to reach end-user systems. Three asymmetries compound: time, expertise, knowledge category. Defender disadvantage compounds across all three.

Thorsten Meyer / ThorstenMeyerAI.com / May 2026 · Part 2
▲ THE THREE ASYMMETRIES · ALL FAVOR THE ATTACKER NOW
Asymmetry 01
Time
90-day window collapses to diff-to-exploit minutes. Distribution lag becomes the structural vulnerability window.
Asymmetry 02
Expertise
5-10 year apprenticeship pipeline collapses to “find a security vulnerability” prompt + API access.
Asymmetry 03
Category
Memory safety → trust-boundary composition. Defensive infrastructure built for the wrong layer.
Defender disadvantage compounds across all three. Faster exploitation + more attackers + harder vulnerability category with less mature defense.
28days
Copy Fail · mainline commit → public disclosure
Apr 1 commit · Apr 29 disclosure · the dangerous window
$2M
Vercel customer data · BreachForums asking price
OAuth supply chain · Context.ai → Google Workspace
275M
Canvas records exfiltrated · ~9,000 institutions
ShinyHunters · Free-For-Teacher vulnerability · 3.65 TB
“find it”
Mythos prompt complexity · no security training
“Please find a security vulnerability in this program”
28-DAY WINDOW COPY FAIL MAINLINE COMMIT APR 1 → DISCLOSURE APR 29 · BUG REDISCOVERABLE FROM DIFF VERCEL APR 19 CONTEXT.AI → OAUTH → GOOGLE WORKSPACE → VERCEL ENV VARS → $2M BREACHFORUMS CANVAS MAY 1-12 SHINYHUNTERS · 275M RECORDS · 9,000 INSTITUTIONS · FINALS WEEK OUTAGE KNOWLEDGE FLOOR “PLEASE FIND A SECURITY VULNERABILITY” · NO TRAINING REQUIRED · ENGINEERS PRODUCED WORKING EXPLOITS DISTRIBUTION LAG MAINLINE → STABLE → DISTRO PACKAGE → DEPLOY · 2-8 WEEKS TYPICAL · LEGACY: NEVER CATEGORY SHIFT OAUTH SCOPES · SAAS TRUST · ENV VARS · FREE-TIER ABUSE · NOT MEMORY SAFETY 28-DAY WINDOW COPY FAIL · APR 1 COMMIT → APR 29 DISCLOSURE · BUG REDISCOVERABLE FROM DIFF
Asymmetry 01 · time · the commit-monitoring window

The patch is now the disclosure event.

Responsible disclosure orthodoxy: bug stays private until vendor patches. For open source, this has never been fully true — git commits are public in real-time. Copy Fail’s mainline patch landed April 1. Public disclosure was April 29. The 28 days between are the dangerous window.

Copy Fail · the disclosure-to-deployment timeline
Mainline commit is public from the moment it lands. Distribution propagation takes 2-8 weeks. AI processes the diff in minutes.
Apr 1 mainline ~Apr 10 stable Apr 29 disclosure Apr 30-May 7 distro patches +weeks deployed 28-day commit-to-disclosure window AI rediscovers from public diff PATCH IS PUBLIC · BUG IS PUBLIC · NO DEFENDER WARNING deployment lag unpatched systems exposed LONG TAIL · LEGACY · MONTHS+ AI watches every kernel commit “DOES THIS COMMIT FIX A SECURITY ISSUE?”
Apr 12026
Mainline commit lands. Linux kernel git tree publishes fafe0fa2995a reverting the 2017 in-place AEAD optimization. Patch is now public.
PUBLIC
INSTANT
~Apr 102026
Stable kernel backports. Greg KH’s stable trees include the patch. Still: no distribution package yet · no end-user deployment.
STABLE
TREES
Apr 292026
Public disclosure by Theori. CVE-2026-31431 announced. Most defenders learn of the bug 28 days after the patch was public on kernel.org.
CVE
PUBLIC
Apr 30 → May 72026
Distribution packages. Ubuntu, Amazon Linux, RHEL, SUSE, Debian, Fedora, Arch ship patched kernel packages. Each on its own schedule.
PACKAGES
AVAILABLE
+weeks → +months2026
End-user deployment. 30-day patch SLA · slower for regulated environments · effectively never for legacy systems without security updates.
DEPLOYED
SLOWLY
The 90-day window assumed private patches. Open-source patches are public from minute zero. The framework is misaligned with the capability landscape.
Asymmetry 02 · expertise · the knowledge floor collapse
CZUR Aura Pro Book & Document Scanner,Capture A3 & A4, Auto-Flatten & Deskew Powered by AI Technology, Foldable & Portable, Compatible with Windows & Mac OS

CZUR Aura Pro Book & Document Scanner,Capture A3 & A4, Auto-Flatten & Deskew Powered by AI Technology, Foldable & Portable, Compatible with Windows & Mac OS

Compatibility: Work with macOS 10.13 or later AND Windows XP/7/8/10/11

AmazonView Latest Price

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

“Please find a security vulnerability.”
No training required.

The historical pipeline for becoming a top-tier vulnerability researcher took 5-10 years of human apprenticeship. Kernel internals. Processor architecture. Exploit-mitigation-bypass craft. Decompiler-output reading. All baked into frontier model training data.

The knowledge floor · before AI / now
Who can do vulnerability research. Pool of capable actors expands by orders of magnitude.
▲ Before · 2015-2023
Senior researcher path
  • CS degree with security specialization
  • 3-5 years red team / CTF / firm experience
  • 2-3 years senior research with reportable findings
  • Tacit knowledge: kernel internals, decompiler output reading, exploit-mitigation-bypass craft
  • Global pool: ~200-500 senior researchers per decade
  • Apprenticeship: mentored by existing experts
▲ Now · 2026
API access + one prompt
  • Frontier model API access ($20-200/month for individuals)
  • One prompt: “Please find a security vulnerability”
  • No security training required (Anthropic / AISI / CETaS verified)
  • Tacit knowledge baked in from model training
  • Pool of capable actors: millions globally
  • Bottleneck: willingness to use it, not skill

The prompt Anthropic used to discover vulnerabilities with Mythos “essentially amounted to ‘Please find a security vulnerability in this program.'” Engineers with no formal security training were able to generate complete, working exploits.

— Alan Turing Institute · CETaS · Claude Mythos cybersecurity analysis
Asymmetry 03 · category · where the bugs actually live
Creating a Patch and Vulnerability Management Program: Recommendations of the National Institute of Standards and Technology (NIST)

Creating a Patch and Vulnerability Management Program: Recommendations of the National Institute of Standards and Technology (NIST)

AmazonView Latest Price

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Memory safety isn’t where the breaches happen anymore.

Decades of defensive infrastructure built around memory safety (ASLR, NX bits, CFI, stack canaries). The most consequential breaches of April-May 2026 are not memory-safety bugs. They are trust-boundary failures at integration seams.

Two case studies · April-May 2026
No memory corruption. No kernel exploit. Trust-boundary composition failures. Mature defensive infrastructure for memory safety doesn’t apply here.

The bugs that matter most have shifted from memory safety to trust-boundary composition. OAuth scopes. SaaS-to-SaaS authentication. Multi-tier account models. Third-party app permissions. Environment variable handling. Defensive tooling for this layer is 5-7 years behind memory-safety discipline.

▲ CASE 01 · APR 19 2026
Vercel · the OAuth supply chain attack
$2MBreachForums asking price
Chain: Lumma Stealer infected Context.ai employee (Feb 2026) → harvested Google Workspace OAuth tokens → attacker used token to access Vercel employee Google Workspace → pivoted into Vercel account → enumerated and decrypted non-sensitive env variables → exfiltrated customer credentials → posted database on BreachForums.
Pattern: third-party AI tool → OAuth → identity → platform → customer secrets
▲ CASE 02 · APR 30 – MAY 12 2026
Canvas / Instructure · free-tier abuse + extortion
275Mrecords · 3.65 TB · ~9,000 institutions
Chain: ShinyHunters found vulnerability in Canvas Free-For-Teacher account mechanism → exfiltrated 3.65 TB across 275M records → ransom negotiations stalled → defaced ~330 institution login portals during finals week → school-by-school extortion through May 12. Names, emails, student IDs, private inbox messages exposed.
Pattern: free-tier authorization flaw → mass data exfiltration → multi-tier extortion

Defensive infrastructure for memory safety is 25+ years mature. Defensive infrastructure for trust-boundary composition is 5-7 years behind. AI-driven discovery operates at both layers — with less mature defenders at the layer that matters more for 2026 breaches.

Operational response · four audiences
Network Intrusion Detection

Network Intrusion Detection

AmazonView Latest Price

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

The defensive infrastructure that worked last decade doesn’t work at the same level now.

Adaptation is necessary. The 18-36 month window where defenders can build the necessary infrastructure is open. Asymmetric cost-of-being-wrong applies: capacity built is useful; capacity not built is structural vulnerability.

Operational response · by stakeholder
Calibrated to the new asymmetries · not to the historical defensive playbook.
▲ FOR CISOs
+ SECURITY TEAMS
Monitor upstream commits. Compress patch SLAs.
Implement upstream commit monitoring for kernels and critical software. Subscribe to mainline security lists. Evaluate suspicious commits with internal AI tooling. Target 72-hour deployment for kernel patches, 7-day for major apps, 14-day for everything else. Audit OAuth permission landscape. Treat SaaS supply chain as tier-1 infrastructure.
▲ FOR SOFTWARE
PUBLISHERS
Your commits document where your bugs are.
Security-shaped commits are findable by AI. Move toward private bug coordination for high-severity findings. Some vendors batch security fixes into general patches (Apple, Microsoft); open source structurally harder but worth attention. Run AI-driven discovery against your own codebase first — be first to know.
▲ FOR
POLICYMAKERS
Disclosure framework needs explicit policy attention.
Responsible disclosure is voluntary social technology that worked in the previous regime. Mandated disclosure standards, vendor patch SLA requirements, updated CVE management infrastructure. Linux distribution lag is a public-interest concern for critical infrastructure. OAuth/SaaS governance is a regulatory blind spot — Vercel is one of many March-April 2026 supply chain breaches.
▲ FOR
EVERYONE ELSE
Two-factor everything. Watch your OAuth grants.
Authenticator apps, not SMS. Passkeys where available. Aggressive credential rotation. Assume your SaaS providers will be breached — have a rotation playbook. Be wary of “Allow All” OAuth grants, especially for AI productivity tools requesting broad email/drive/calendar access. The Vercel chain started here.

The 90-day window collapsed. The knowledge floor collapsed. The bugs moved layers. Three asymmetries compound. The 18-36 month window where defenders can build the necessary infrastructure is open.

— Software security · the disclosure collapse · Part 2 · May 2026
Source dossier · the receipts
  • 732 Bytes to Root · the cost-curve collapse · Part 1
  • Theori / Xint Code · Copy Fail: 732 Bytes to Root · xint.io · Apr 29 2026
  • Linux kernel mainline patch · commit fafe0fa2995a · Apr 1 2026
  • CVE-2026-31431 · NVD · CVSS 7.8 (High) · CISA KEV listed
  • Project Zero · 90-day coordinated disclosure policy · 2014
  • Vercel Security Bulletin · April 2026 · vercel.com/kb/bulletin/vercel-april-2026-security-incident
  • Trend Micro · The Vercel Breach: OAuth Supply Chain Attack · Apr 21 2026
  • The Hacker News · Vercel Breach Tied to Context AI Hack
  • TechCrunch · Zack Whittaker · App host Vercel says it was hacked · Apr 20 2026
  • Hudson Rock · Context.ai Lumma Stealer compromise · Feb 2026
  • BleepingComputer · Vercel breach disclosure · Apr 19 2026
  • Instructure security incident · official disclosures · May 1-12 2026
  • Halcyon · Education Sector in the Crosshairs: ShinyHunters’ Extortion Campaign Against Instructure
  • Wikipedia · 2026 Canvas security incident · ongoing as of May 12 2026
  • CNN · Canvas hack: What we know · May 2026
  • Hackread · ShinyHunters Instructure + Vimeo breaches · May 2026
  • Anthropic Claude Mythos Preview System Card · Apr 7 2026
  • Alan Turing Institute / CETaS · Claude Mythos cybersecurity analysis
  • UK AI Security Institute · Mythos cyber capability evaluation
Colophon · Part 2

Set in Source Serif 4, IBM Plex Sans, & IBM Plex Mono. Security-advisory aesthetic. Free to embed with attribution.

thorstenmeyerai.com

Software security · the disclosure collapse · Part 2 of 2 · May 2026

28 days · 275M records · $2M · “find it”

Cybersecurity Threat Monitoring: Preventing Network Fraud with Best Practices : Implementing Effective Fraud Prevention Systems through Advanced Threat Monitoring Techniques

Cybersecurity Threat Monitoring: Preventing Network Fraud with Best Practices : Implementing Effective Fraud Prevention Systems through Advanced Threat Monitoring Techniques

AmazonView Latest Price

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Implications of the Disappearance of the 90-Day Window

This development signifies a fundamental shift in cybersecurity, where the traditional time buffer for patching and defending against exploits no longer exists. The collapse of the 90-day window means defenders have less time to respond, and attackers can act almost immediately after a vulnerability is publicly known. The rise of AI-driven vulnerability discovery accelerates the pace of cyber threats, increasing the risk of zero-day exploits being weaponized before patches are available. This change demands a reevaluation of current security protocols, patch management strategies, and threat monitoring approaches.

Evolving Threat Landscape and the Role of AI in Vulnerability Discovery

Since the early 2000s, the responsible disclosure framework relied on a balance between researchers and vendors, with a 90-day window allowing vendors to patch vulnerabilities before they became public knowledge. This model depended on the assumption that reverse engineering patches and developing exploits took significant time. However, recent technological advances—particularly AI systems capable of analyzing code commits and generating exploits—have shattered this assumption. In 2026, AI tools like Theori’s Xint Code can analyze kernel commits, identify vulnerabilities, and produce working exploits in minutes. The recent disclosures of vulnerabilities in the Linux kernel, Vercel, and Canvas highlight that the most impactful threats now stem from trust boundary failures at the integration level, rather than traditional memory safety bugs. These vulnerabilities are less protected by existing defenses and are more accessible to AI-driven attack methods.

“The 90-day window is no longer a defender’s advantage; it has become an attacker’s window, thanks to AI-driven vulnerability discovery.”

— Thorsten Meyer

Unresolved Questions About Future Security Protocols

It remains unclear how security organizations will adapt to this accelerated threat environment. While the collapse of the 90-day window is evident, the effectiveness of new mitigation strategies, such as faster patching cycles, AI-based defense systems, or regulatory changes, is still uncertain. Additionally, the full extent of AI’s capability to discover and exploit vulnerabilities in real-world scenarios continues to develop, with ongoing debates about the scope and limitations of current tools.

Next Steps for Cybersecurity in an AI-Driven Era

Security vendors, organizations, and policymakers will need to reassess and redesign their vulnerability management strategies. Immediate priorities include developing faster patch deployment processes, integrating AI-based monitoring for early detection of exploits, and establishing new norms for disclosure and response. Monitoring ongoing disclosures and studying recent breaches like Vercel and Canvas will inform the evolution of defensive measures. The industry may also push for regulatory frameworks to address the new threat landscape.

Key Questions

What does the end of the 90-day window mean for cybersecurity?

It means that vulnerabilities can be exploited almost immediately after they are publicly disclosed, reducing the time defenders have to respond and patch effectively.

How has AI changed vulnerability discovery?

AI tools can analyze code commits, identify potential security flaws, and generate exploits within minutes, collapsing traditional timelines for patch development and exploitation.

Are existing defenses still effective against AI-driven exploits?

Many traditional defenses, like memory safety protections, are less effective against trust boundary failures and integration-level vulnerabilities, which are now more prevalent and accessible to AI-driven discovery.

What should organizations do to protect themselves?

Organizations should accelerate patch deployment, incorporate AI-based threat monitoring, and reevaluate their security strategies to address the new rapid exploitation landscape.

Will regulatory changes help mitigate these risks?

Potentially, but current developments suggest that technical and procedural reforms will be necessary to keep pace with AI-enabled threat capabilities.

Source: ThorstenMeyerAI.com

You May Also Like
hacker rewards for security

Bug Bounty Programs: How Hackers Get Paid to Secure the Web

Hackers can earn rewards through bug bounty programs by responsibly finding vulnerabilities, but understanding how these rewards work can be complex and rewarding.
Mystery Microsoft bug leaker keeps the zero-days coming

Mystery Microsoft bug leaker keeps the zero-days coming

An anonymous researcher has disclosed two new Windows zero-day vulnerabilities, including a BitLocker bypass and privilege escalation, after previous leaks this year.
X agrees to crack down on illegal hate and terror content in the UK

X agrees to crack down on illegal hate and terror content in the UK

Ofcom accepts new commitments from X to better remove illegal hate and terror content in the UK, including account restrictions and reporting benchmarks.
The Frameworks Can’t See the Thing That Matters: A Year of AI-Enabled Cyber Threats

The Frameworks Can’t See the Thing That Matters: A Year of AI-Enabled Cyber Threats

Anthropic mapped 832 banned accounts to MITRE ATT&CK and found technique counts no longer track AI-enabled cyber risk.