AI Exploits Are Killing the 90-Day Disclosure Window
Enterprise AI Security Risks

AI Exploits Are Killing the 90-Day Disclosure Window

Published: May 12, 20266 min read

The 90-day vulnerability disclosure window is failing as AI models generate exploits in minutes. Learn how enterprises must adapt their security strategies to survive this new threat landscape.

The 90-day vulnerability disclosure window — the security industry's long-standing standard for giving vendors time to patch before researchers go public — is under existential pressure. Language models can now reverse-engineer a working exploit from a published security patch in as little as 30 minutes, a capability that renders the traditional disclosure timeline functionally obsolete and forces an urgent rethink of how enterprises manage enterprise AI security risks.

From Weeks to Minutes: The New Threat Timeline

The 90-day window, popularized by Google Project Zero and widely adopted across the industry, was built on a reasonable assumption: that converting patch information into a weaponized exploit required significant human expertise and time. That assumption no longer holds.

According to reporting by The Decoder, AI models are now capable of analyzing a released patch, identifying the underlying vulnerability it addresses, and generating a functional proof-of-concept exploit — all within a 30-minute window. The implication is stark: the moment a vendor ships a patch, the clock starts ticking not in days, but in minutes.

"AI turns patches into working exploits in 30 minutes — and the 90-day disclosure window is the casualty." — The Decoder, May 2026

This dynamic inverts the traditional security calculus. Previously, the race was between attackers manually reverse-engineering patches and defenders deploying fixes across their fleet. Now, AI automation has handed attackers a structural advantage: they can generate and test exploits faster than most enterprise patch-validation workflows can even begin.

OpenAI Enters the Arena with Daybreak

The urgency of this threat has not gone unnoticed at the frontier model labs. OpenAI has launched Daybreak, a dedicated cybersecurity initiative that places Codex Security at the center of its vulnerability detection and patch-validation strategy.

As detailed by MarkTechPost, Daybreak is designed to use AI offensively — in a controlled, defensive context — to find vulnerabilities before malicious actors do, and to validate that patches actually close the holes they claim to close. The initiative signals a broader industry acknowledgment that the only credible response to AI-accelerated exploitation is AI-accelerated defense.

Codex Security, the engine behind Daybreak, is positioned as a tool that security teams can deploy to stress-test patches in near-real-time, compressing what was once a multi-week validation cycle into something that can keep pace with the new threat tempo.

The significance of a major AI lab directly entering the patch-validation space cannot be overstated. It represents an institutional admission that the existing disclosure ecosystem — built around human-paced workflows — is structurally broken.

What the 90-Day Window Was Actually Protecting

To understand what's being lost, it's worth revisiting what the 90-day standard was designed to do. The window served three functions simultaneously:

  1. Vendor remediation time — giving software makers enough runway to develop, test, and ship a fix
  2. Enterprise deployment buffer — allowing organizations to stage and validate patches across complex infrastructure before adversaries could exploit the disclosed flaw
  3. Coordinated disclosure incentive — encouraging researchers to work with vendors rather than selling exploits on gray or black markets

AI-generated exploit automation threatens all three. If attackers can weaponize a patch within 30 minutes of its release, the enterprise deployment buffer effectively disappears. Organizations that once had days or weeks to patch critical systems now face a window measured in the time it takes an AI agent to run a reverse-engineering pipeline.

The Patch-Validation Bottleneck

For enterprise security teams, the practical crisis is in patch-validation workflows. Most large organizations cannot simply apply patches the moment they drop — testing for compatibility, regression issues, and operational impact across heterogeneous environments takes time. That time, historically protected by the assumption that exploits take days to develop, is now a dangerous liability.

The emerging response involves several parallel tracks:

  • AI-assisted patch triage: Using models like Codex Security to instantly assess the severity and exploitability of a given patch, prioritizing which fixes demand emergency deployment versus standard change-management cycles
  • Compressed testing pipelines: Investing in automated regression and compatibility testing infrastructure that can run in hours rather than days
  • Zero-trust segmentation: Treating unpatched systems as already compromised and isolating them from critical assets during the validation window

None of these are trivial to implement, and smaller enterprises without dedicated security engineering capacity face a particularly acute challenge.

Industry Implications: A Disclosure Framework Under Pressure

The coordinated disclosure model itself may need renegotiation. Some security researchers are already arguing that publishing patches without simultaneously publishing mitigations — or without ensuring a critical mass of enterprise deployments — effectively hands attackers a roadmap.

Alternative models being discussed include:

  • Silent patching with delayed public disclosure, giving enterprises a head start before the patch becomes an exploit blueprint
  • Tiered disclosure where patch details are shared with verified enterprise defenders before public release
  • Real-time threat intelligence sharing between vendors, AI security platforms, and large enterprise defenders to coordinate response at machine speed

Each approach carries tradeoffs. Silent patching reduces transparency and can mask systemic software quality problems. Tiered disclosure creates access inequality between large and small organizations. But the status quo — a 90-day window that assumes human-speed exploitation — is no longer defensible.

What to Watch

OpenAI's Daybreak initiative will be a bellwether for whether AI-native security tooling can actually close the gap. If Codex Security can validate patches and detect exploit-ready vulnerabilities faster than adversarial models can weaponize them, it would represent a genuine defensive breakthrough.

More broadly, the security industry should expect pressure on disclosure policy from regulators, insurers, and enterprise buyers who are beginning to understand that the 30-minute exploit window makes current frameworks untenable. CISA, the EU's ENISA, and major software vendors will likely face calls to revisit coordinated disclosure standards before the end of 2026.

For enterprise security leaders, the immediate priority is clear: assume that any published patch is also a published exploit blueprint, and build response workflows accordingly. The 90-day window isn't just shrinking — for AI-accelerated threats, it may already be gone.

Sources:

Last reviewed: May 12, 2026

Enterprise AI Security RisksCybersecurityVulnerability ManagementGenerative AI

Looking for AI solutions for your business?

Discover how our AI services can help you stay ahead of the competition.

Contact Us

Continue Reading

OpenAI and Anthropic Are Becoming the New Accenture
AI Strategy

OpenAI and Anthropic Are Becoming the New Accenture

7 min read
The Real Reason Nvidia AI Infrastructure Investment Impact Matters
AI Infrastructure

The Real Reason Nvidia AI Infrastructure Investment Impact Matters

11 min read
Meta AI Open Source Models Are Closing the Frontier Gap
LLMs

Meta AI Open Source Models Are Closing the Frontier Gap

7 min read