May 9, 2026
Patch now, panic later
The 90 Day disclosure policy is dead
The old safety countdown is toast, and the comments are already fighting about it
TLDR: A security writer says the old 90-day waiting period for revealing serious software flaws no longer works because AI tools let many people find the same dangerous bug almost instantly. Commenters are split between panic that companies are too slow and skepticism that this speed-run chaos will last forever.
Security nerds are having a full-blown meltdown over one big claim: the old 90-day wait before publicly revealing a serious software flaw is basically dead. The writer says the reason is simple and scary — modern artificial intelligence tools can help people find weak spots and figure out how to abuse them way faster than before. Their horror story? A major bug was reported, and the company replied: thanks, you’re reporter number eleven. Yes, eleven people found the same dangerous problem in about six weeks. The crowd’s reaction was a mix of "we are so cooked" and "finally, someone said it."
But of course, the comment section refused to stay calm. One side is sounding the alarm, saying the old system assumed bug-hunters were rare and attackers were slow, and that world has vanished. The hottest take is basically: if good guys can find these flaws at lightning speed, bad guys can too, so companies need to treat every major issue like a five-alarm fire and patch it immediately. The other side is pushing back with a very internet-style "counterpoint, this is overhyped". User pessimizer argued that a year from now, the obvious easy-to-find mistakes may already be cleaned up, leaving only harder, more insight-driven problems. In other words: today’s panic might become tomorrow’s boring maintenance. The vibe? Half doompost, half reality check, with a side of dark comedy about duplicate reports piling up like spam in the apocalypse.
Key Points
- •The article argues that the traditional 90-day responsible disclosure window no longer fits current security conditions.
- •It says LLMs have accelerated bug discovery and exploit-related workflows for researchers, attackers, and defenders.
- •The article lists several assumptions of the old disclosure model—scarcity of finders, slow rediscovery, vendor patching head start, and slower exploit development—and says they are no longer dependable.
- •A case study in the article describes a critical e-commerce flaw reported by 11 researchers over roughly six weeks.
- •The article calls for organizations to treat critical vulnerabilities as P0 issues and patch them immediately.