AI Builds Working Exploits in 30 Minutes, Killing 90-Day Patch Window
Key Takeaways
- AI tools can reverse-engineer security patches into working exploits in 30 minutes
- One vulnerability was reported by 11 different researchers in six weeks, suggesting AI-driven parallel discovery
- The traditional 90-day disclosure window rests on four assumptions that AI has invalidated
The security industry's 90-day vulnerability disclosure window is based on a simple premise: give vendors time to fix bugs before attackers find them. A veteran researcher says that premise is dead.
Himanshu Anand, a Firewall Security Analyst at Cloudflare and former Symantec engineer, published a detailed analysis showing how AI language models have broken every assumption behind coordinated disclosure. His team, Water Paddlers, was a three-time consecutive finalist at the DEF CON hacking competition.
The problem isn't theoretical. Anand walked through three real-world cases where AI tools collapsed timelines that used to protect defenders.
The Four Assumptions That No Longer Hold
Google's Project Zero popularized the 90-day disclosure window. The model rests on four assumptions that Anand says AI has invalidated.
- The person who found the bug is probably the only one who spotted it.
- Even if other researchers discover the same flaw, they will take their own time to do so.
- The vendor has a comfortable head start on writing the patch.
- After a patch ships, attackers still need days or weeks to reverse-engineer a working exploit.
Each assumption gave defenders breathing room. AI has compressed that room to nearly zero.
Eleven Reporters, One Bug, Six Weeks
In April, Anand reported a critical flaw in an online store that let anyone complete purchases for zero dollars. The vendor's response was unexpected: he was the eleventh person to report the same bug in six weeks.
A triage staffer described the pattern to Anand: once someone discovers a flaw using an AI tool, waves of nearly identical reports roll in within days.
Anand's question cuts to the heart of the problem: if ten honest researchers find the same flaw, how many find it and stay quiet?
That one example kills the first two assumptions. Vulnerabilities are not exclusive discoveries anymore. Parallel finders do not need extra time when they are all using the same AI tools.
From Patch to Exploit in 30 Minutes
Anand's second example is more alarming. React, the widely used web framework, released several security patches. Anand downloaded the source code diff and used a language model to help him build a working exploit.
It took 30 minutes.
Experienced reverse engineers used to need days for the same task. Sometimes weeks. That gap between patch release and exploit availability was supposed to give system administrators time to update their systems.
That gap no longer exists.
Related coverage of AI-assisted exploit development
What Anand Recommends
Anand does not claim to have all the answers, but he offers three recommendations for different players in the security ecosystem.
- Vendors should treat critical bugs as immediate emergencies, not 90-day projects.
- Security researchers should shorten disclosure timelines to match the new reality.
- System administrators should deploy patches instantly, not on scheduled maintenance windows.
The common thread: speed. Every actor in the chain needs to move faster because attackers now can.
The Broader Implications
The 90-day disclosure window was a negotiated truce between security researchers and vendors. Researchers agreed to give vendors time to patch. Vendors agreed to actually patch instead of ignoring reports.
That truce assumed a world where time was on the defender's side. AI has shifted that balance. When multiple researchers find the same bug within weeks, and when patches can be weaponized in minutes, the 90-day window becomes a liability.
Anand is not calling for immediate public disclosure of all vulnerabilities. He is arguing that the industry needs to rethink timelines that were designed for a pre-AI world.
“If ten honest researchers find the same flaw, how many find it and stay quiet?”
— Himanshu Anand, Cloudflare Firewall Security Analyst
The question answers itself. In a world where AI tools democratize vulnerability discovery, the old assumption that bugs stay hidden until formal disclosure is wishful thinking.
Logicity's Take
Frequently Asked Questions
Why is the 90-day vulnerability disclosure window under threat?
AI tools allow multiple researchers to find the same vulnerabilities almost simultaneously and enable attackers to reverse-engineer patches into exploits in minutes instead of days.
How fast can AI create a working exploit from a security patch?
In one documented case, security researcher Himanshu Anand built a working exploit from a React security patch in 30 minutes using an AI language model.
What should companies do to protect against AI-accelerated exploits?
Vendors should treat critical bugs as emergencies, security researchers should shorten disclosure timelines, and system administrators should deploy patches immediately rather than waiting for scheduled maintenance windows.
Who is Himanshu Anand?
Anand is a Firewall Security Analyst at Cloudflare, former Symantec engineer, and member of Water Paddlers, a team that was a three-time consecutive finalist at the DEF CON hacking competition.
Need Help Implementing This?
Source: The Decoder / Maximilian Schreiner
Huma Shazia
Senior AI & Tech Writer
Related Articles
Browse allZuckerberg's Superintelligence Lab Faces Setback
The first AI model from Zuckerberg's superintelligence lab has failed to impress compared to its rivals, sparking concerns about the lab's direction. We take a closer look at what happened and why it matters.
Muse Spark Launch Propels Meta AI App to Top 5
The recent launch of Muse Spark has significantly boosted the popularity of Meta AI app, pushing it into the top 5. We explore what this means for the AI landscape.
Meta's Muse Spark AI Model Lags Behind ChatGPT and Claude
Meta's Muse Spark AI model still can't outperform ChatGPT and Claude in key areas, despite its advancements. We explore what this means for the AI landscape.
Meta Launches Muse Spark AI To Challenge ChatGPT
Meta launches Muse Spark AI to challenge ChatGPT and Claude, we explore what this means for the AI landscape. Muse Spark AI is a significant development in the AI chatbot space.
Also Read
Samsung Chip Strike Talks: 18 Days That Could Cost $20 Billion
Samsung and its largest union are in government-mediated final negotiations to prevent an 18-day chip factory strike starting May 21. With 30,000 to 40,000 workers expected to participate, the walkout threatens to disrupt global memory chip supply and HBM production at a critical moment for AI infrastructure.
Google: Hackers Used AI to Build First Zero-Day Exploit
Google's Threat Intelligence Group has identified what it believes is the first zero-day exploit developed with AI assistance. The attack targeted a popular web administration tool's two-factor authentication. While the attack was stopped before mass exploitation, the case signals a shift in how threat actors approach vulnerability discovery.
Arm's $2B in CPU Orders Still Won't Crack 5% Server Market Share
Arm has secured over $2 billion in commitments for its new AGI CPU, doubling internal expectations in just six weeks. But Mercury Research says even that figure translates to low single-digit market share against AMD and Intel's entrenched server dominance.