📊 Full opportunity report: The 90-Day Window Closed. Nobody Sent a Notice. on ThorstenMeyerAI.com — validation score, market gap, and execution plan.
TL;DR
The 90-day coordinated disclosure period for a recent Linux kernel vulnerability has closed without any vendor notice or patch deployment. Experts warn this shift benefits attackers, as AI-driven tools can exploit bugs faster than defenders can respond.
Vendors have not issued any notices or patches for a critical Linux kernel vulnerability within the traditional 90-day disclosure window that closed recently, marking a significant shift in cybersecurity dynamics.
Historically, the 90-day window for responsible disclosure allowed vendors time to patch vulnerabilities after researchers reported them, balancing security and transparency. However, in 2026, this window has effectively been rendered obsolete due to advances in AI-driven vulnerability discovery and monitoring. The Linux kernel patch for a bug known as Copy Fail was committed on April 1, 2026, and publicly disclosed on April 29, but during this period, AI systems could analyze commits and develop exploits in minutes, not days.
Multiple recent breaches, including those at Vercel (April 19) and Canvas (May 1), reveal that the most impactful vulnerabilities now lie in trust boundaries at application interfaces rather than kernel memory safety bugs. These include OAuth scope misconfigurations and third-party app permissions, which are less protected by traditional defenses and are increasingly targeted by AI-enabled attackers.
The 90-day window closed.
Nobody sent a notice.
The commit-monitoring window. The knowledge floor. And what Vercel and Canvas reveal about where the bugs actually live.
Copy Fail’s mainline patch landed April 1. Public disclosure was April 29. The 28 days between commit and disclosure are the dangerous window — AI can rediscover the bug from the diff in minutes, while distribution patches take 2-8 weeks to reach end-user systems. Three asymmetries compound: time, expertise, knowledge category. Defender disadvantage compounds across all three.
The patch is now the disclosure event.
Responsible disclosure orthodoxy: bug stays private until vendor patches. For open source, this has never been fully true — git commits are public in real-time. Copy Fail’s mainline patch landed April 1. Public disclosure was April 29. The 28 days between are the dangerous window.
fafe0fa2995a reverting the 2017 in-place AEAD optimization. Patch is now public.INSTANT
TREES
PUBLIC
AVAILABLE
SLOWLY

WoneNice USB Laser Barcode Scanner Wired Handheld Bar Code Scanner Reader Black
- Easy Plug and Play Setup: Compatible with any USB port
- Universal Compatibility: Works with Windows, Mac, Linux, and common software
- High-Speed Scanning: 200 scans per second
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
“Please find a security vulnerability.”
No training required.
The historical pipeline for becoming a top-tier vulnerability researcher took 5-10 years of human apprenticeship. Kernel internals. Processor architecture. Exploit-mitigation-bypass craft. Decompiler-output reading. All baked into frontier model training data.
- CS degree with security specialization
- 3-5 years red team / CTF / firm experience
- 2-3 years senior research with reportable findings
- Tacit knowledge: kernel internals, decompiler output reading, exploit-mitigation-bypass craft
- Global pool: ~200-500 senior researchers per decade
- Apprenticeship: mentored by existing experts
- Frontier model API access ($20-200/month for individuals)
- One prompt: “Please find a security vulnerability”
- No security training required (Anthropic / AISI / CETaS verified)
- Tacit knowledge baked in from model training
- Pool of capable actors: millions globally
- Bottleneck: willingness to use it, not skill
The prompt Anthropic used to discover vulnerabilities with Mythos “essentially amounted to ‘Please find a security vulnerability in this program.'” Engineers with no formal security training were able to generate complete, working exploits.
Memory safety isn’t where the breaches happen anymore.
Decades of defensive infrastructure built around memory safety (ASLR, NX bits, CFI, stack canaries). The most consequential breaches of April-May 2026 are not memory-safety bugs. They are trust-boundary failures at integration seams.
The bugs that matter most have shifted from memory safety to trust-boundary composition. OAuth scopes. SaaS-to-SaaS authentication. Multi-tier account models. Third-party app permissions. Environment variable handling. Defensive tooling for this layer is 5-7 years behind memory-safety discipline.
Defensive infrastructure for memory safety is 25+ years mature. Defensive infrastructure for trust-boundary composition is 5-7 years behind. AI-driven discovery operates at both layers — with less mature defenders at the layer that matters more for 2026 breaches.
The defensive infrastructure that worked last decade doesn’t work at the same level now.
Adaptation is necessary. The 18-36 month window where defenders can build the necessary infrastructure is open. Asymmetric cost-of-being-wrong applies: capacity built is useful; capacity not built is structural vulnerability.
+ SECURITY TEAMS
PUBLISHERS
POLICYMAKERS
EVERYONE ELSE
The 90-day window collapsed. The knowledge floor collapsed. The bugs moved layers. Three asymmetries compound. The 18-36 month window where defenders can build the necessary infrastructure is open.
Implications of the Disappearance of the 90-Day Window
This development signifies a fundamental change in cybersecurity, where attackers can weaponize vulnerabilities immediately after they are publicly disclosed or even before, bypassing traditional defensive lead times. The collapse of the knowledge floor and the acceleration of exploit development threaten to undermine existing patching and response strategies, placing organizations at greater risk of rapid exploitation.
Evolving Threat Landscape and Disruption of Responsible Disclosure Norms
Since the early 2000s, the 90-day coordinated disclosure policy has been a cornerstone of cybersecurity, giving defenders time to respond to new vulnerabilities. This framework depended on assumptions that reverse engineering patches took significant time and that exploits could not be developed instantly. However, recent technological advances, notably AI systems capable of analyzing commits and generating exploits in minutes, have shattered these assumptions. The rapid discovery and weaponization of bugs, exemplified by the Copy Fail case, illustrate how the traditional window is no longer a safeguard but a vulnerability itself.
“Our investigations show that recent breaches exploited trust boundary flaws, which are not addressed by memory safety patches.”
— Vercel security spokesperson
Unclear Impact on Future Vulnerability Management
It remains uncertain how organizations will adapt their vulnerability management strategies in response to the collapse of the traditional disclosure window. The long-term effects on patch deployment, attacker behavior, and industry standards are still developing, and there is no consensus on whether new norms will emerge to replace the previous framework.
Next Steps for Security Practices and Policy Adaptation
Experts anticipate increased adoption of AI-powered monitoring tools for real-time vulnerability detection and faster patching processes. Industry stakeholders are likely to reevaluate disclosure policies and develop new standards to address the accelerated threat landscape. Ongoing case studies from recent breaches will inform best practices in the coming months.
Key Questions
Why did the 90-day disclosure window become ineffective?
Advances in AI allow attackers to analyze patches and develop exploits within minutes, collapsing the time advantage previously held by defenders during the 90-day window.
What types of vulnerabilities are now most exploited?
Trust boundary failures, such as OAuth misconfigurations and SaaS-to-SaaS authentication issues, are now more impactful than traditional memory safety bugs.
How are organizations responding to this shift?
Many are adopting AI-based monitoring tools for real-time detection and reconsidering patching and disclosure policies to mitigate the faster threat cycle.
Will the traditional responsible disclosure model be replaced?
It is uncertain; industry experts are debating whether new standards will emerge to better align with the accelerated pace of vulnerability discovery and exploitation.
Source: ThorstenMeyerAI.com