Security researcher Himanshu Anand warns that modern language models let multiple actors find the same vulnerabilities and turn published patches or diffs into working exploits within minutes, eroding the protections of the 90‑day disclosure model.
Himanshu Anand says modern language models are compressing the time from patch publication to working exploit code from days to minutes, breaking the operational assumptions behind the Project Zero‑style 90‑day disclosure window. That change matters because it leaves vendors, incident responders and end users with far less time to triage, patch and coordinate mitigations before adversaries can weaponize fixes.
Anand documents concrete, recent incidents to illustrate the shift. In April he reported a critical bug in an online store that allowed zero‑dollar purchases and discovered he was the eleventh reporter for that same flaw over six weeks. Triage teams told him they had seen waves of nearly identical reports after an initial AI‑driven find, suggesting parallel, automated discovery is producing repeated, duplicated submissions.
He gives a separate example involving the React framework in which he downloaded a source diff after a patch and used a language model to produce a working exploit in roughly 30 minutes — work that previously would have taken experienced reverse engineers days. That case shows how quickly a published patch or diff can be reverse‑engineered into reliable exploit code when AI is used to automate the analysis.
Kernel vulnerabilities show similar acceleration and broad reach. The team Xint Code published a Linux bug dubbed “Copy Fail,” which their report said was found after an hour‑long AI scan; a 732‑byte script grants root on many distributions going back to 2017 and was exploited in DDoS campaigns by Iranian actors within days. Separately, researcher Hyunwoo Kim negotiated a five‑day embargo for a flaw called “Dirty Frag,” but third parties disclosed the same class of bug within hours and Microsoft’s Defender team reported active exploitation within 24 hours.
Anand traces the problem to four assumptions that underlie the 90‑day model: that the initial finder is likely unique, that independent finders will surface vulnerabilities slowly, that vendors have a comfortable head start to produce and roll out fixes, and that attackers need days to reverse‑engineer a patch. He argues AI undermines each assumption by enabling parallel discovery, rapid report flooding, and near‑instant conversion of published diffs into exploit code.
The operational consequences are immediate: the interval between patch release and active exploitation is shrinking to minutes or hours, triage teams face rapid surges of highly similar reports, and coordinated, multi‑distribution patch rollouts can be overtaken before they complete. Anand recommends treating critical bugs as immediate emergencies, shortening researcher disclosure timelines, and assuming adversaries will reach exploit code quickly once a patch appears.
Sources
Replies (0)
No replies in this topic yet.
