Full opportunity report: The 90-Day Window Closed. Nobody Sent a Notice. on ThorstenMeyerAI.com — validation score, market gap, and execution plan.

TL;DR

The 90-day coordinated disclosure window has effectively ended, with no vendors issuing notices for recent high-profile vulnerabilities. AI-driven discovery now allows exploits to be developed faster than patches can be deployed, shifting the security landscape.

Vendors have not issued any notices or patches within the traditional 90-day window following recent high-profile security disclosures, signaling a fundamental shift in vulnerability management and threat dynamics.

Since the adoption of the 90-day coordinated disclosure policy, vendors were expected to respond within three months of a vulnerability report. However, recent cases, including the Linux kernel’s Copy Fail bug and breaches at Vercel and Canvas, demonstrate that attackers can now exploit vulnerabilities in real-time, often before patches are publicly available.

The Linux kernel patch for Copy Fail was committed on April 1, 2026, but no vendor or affected organization issued a notice or patch by the end of the 90-day window on June 30, 2026. Meanwhile, AI-driven tools can monitor kernel commits, reverse engineer patches, and develop exploits within minutes—a process that previously took days or weeks.

Experts warn that this shift diminishes the protective advantage historically held by defenders, as attackers can now operate with near real-time intelligence, rendering the traditional 90-day window obsolete. The recent breaches at Vercel (April 19) and Canvas (May 1) further highlight that modern vulnerabilities often reside in trust boundaries, such as OAuth scopes and SaaS integrations, rather than traditional memory safety bugs.

The 90-Day Window Closed. Nobody Sent a Notice.

DISPATCH / MAY 2026
SECURITY · DISCLOSURE COLLAPSE · COMMIT MONITORING · PART 2

▲ Part 2 · Security
Disclosure Closed · May 2026

Software Security · Part 2 · The Disclosure Collapse

The 90-day window closed.
Nobody sent a notice.

The commit-monitoring window. The knowledge floor. And what Vercel and Canvas reveal about where the bugs actually live.

Copy Fail’s mainline patch landed April 1. Public disclosure was April 29. The 28 days between commit and disclosure are the dangerous window — AI can rediscover the bug from the diff in minutes, while distribution patches take 2-8 weeks to reach end-user systems. Three asymmetries compound: time, expertise, knowledge category. Defender disadvantage compounds across all three.

Thorsten Meyer
/
ThorstenMeyerAI.com
/
May 2026 · Part 2

▲ THE THREE ASYMMETRIES · ALL FAVOR THE ATTACKER NOW

Asymmetry 01

Time

90-day window collapses to diff-to-exploit minutes. Distribution lag becomes the structural vulnerability window.

Asymmetry 02

Expertise

5-10 year apprenticeship pipeline collapses to “find a security vulnerability” prompt + API access.

Asymmetry 03

The patch is now the disclosure event.

Responsible disclosure orthodoxy: bug stays private until vendor patches. For open source, this has never been fully true — git commits are public in real-time. Copy Fail’s mainline patch landed April 1. Public disclosure was April 29. The 28 days between are the dangerous window.

Copy Fail · the disclosure-to-deployment timeline

Mainline commit is public from the moment it lands. Distribution propagation takes 2-8 weeks. AI processes the diff in minutes.

Apr 1
mainline

~Apr 10
stable

Apr 29
disclosure

Apr 30-May 7
distro patches

+weeks
deployed

28-day commit-to-disclosure window
AI rediscovers from public diff
PATCH IS PUBLIC · BUG IS PUBLIC · NO DEFENDER WARNING

deployment lag
unpatched systems exposed
LONG TAIL · LEGACY · MONTHS+

AI watches every kernel commit
“DOES THIS COMMIT FIX A SECURITY ISSUE?”

Apr 12026

Mainline commit lands. Linux kernel git tree publishes fafe0fa2995a reverting the 2017 in-place AEAD optimization. Patch is now public.

PUBLIC
INSTANT

~Apr 102026

Stable kernel backports. Greg KH’s stable trees include the patch. Still: no distribution package yet · no end-user deployment.

STABLE
TREES

Apr 292026

Public disclosure by Theori. CVE-2026-31431 announced. Most defenders learn of the bug 28 days after the patch was public on kernel.org.

CVE
PUBLIC

Apr 30 → May 72026

Distribution packages. Ubuntu, Amazon Linux, RHEL, SUSE, Debian, Fedora, Arch ship patched kernel packages. Each on its own schedule.

PACKAGES
AVAILABLE

+weeks → +months2026

End-user deployment. 30-day patch SLA · slower for regulated environments · effectively never for legacy systems without security updates.

DEPLOYED
SLOWLY

The 90-day window assumed private patches. Open-source patches are public from minute zero. The framework is misaligned with the capability landscape.

Asymmetry 02 · expertise · the knowledge floor collapse

“Please find a security vulnerability.”
No training required.

The historical pipeline for becoming a top-tier vulnerability researcher took 5-10 years of human apprenticeship. Kernel internals. Processor architecture. Exploit-mitigation-bypass craft. Decompiler-output reading. All baked into frontier model training data.

The knowledge floor · before AI / now

Who can do vulnerability research. Pool of capable actors expands by orders of magnitude.

▲ Before · 2015-2023

Senior researcher path

CS degree with security specialization
3-5 years red team / CTF / firm experience
2-3 years senior research with reportable findings
Tacit knowledge: kernel internals, decompiler output reading, exploit-mitigation-bypass craft
Global pool: ~200-500 senior researchers per decade
Apprenticeship: mentored by existing experts

→

▲ Now · 2026

API access + one prompt

Frontier model API access ($20-200/month for individuals)
One prompt: “Please find a security vulnerability”
No security training required (Anthropic / AISI / CETaS verified)
Tacit knowledge baked in from model training
Pool of capable actors: millions globally
Bottleneck: willingness to use it, not skill

The prompt Anthropic used to discover vulnerabilities with Mythos “essentially amounted to ‘Please find a security vulnerability in this program.’” Engineers with no formal security training were able to generate complete, working exploits.

— Alan Turing Institute · CETaS · Claude Mythos cybersecurity analysis

Asymmetry 03 · category · where the bugs actually live

Memory safety isn’t where the breaches happen anymore.

Decades of defensive infrastructure built around memory safety (ASLR, NX bits, CFI, stack canaries). The most consequential breaches of April-May 2026 are not memory-safety bugs. They are trust-boundary failures at integration seams.

Two case studies · April-May 2026

No memory corruption. No kernel exploit. Trust-boundary composition failures. Mature defensive infrastructure for memory safety doesn’t apply here.

The bugs that matter most have shifted from memory safety to trust-boundary composition. OAuth scopes. SaaS-to-SaaS authentication. Multi-tier account models. Third-party app permissions. Environment variable handling. Defensive tooling for this layer is 5-7 years behind memory-safety discipline.

▲ CASE 01 · APR 19 2026

Vercel · the OAuth supply chain attack

$2MBreachForums asking price

Chain: Lumma Stealer infected Context.ai employee (Feb 2026) → harvested Google Workspace OAuth tokens → attacker used token to access Vercel employee Google Workspace → pivoted into Vercel account → enumerated and decrypted non-sensitive env variables → exfiltrated customer credentials → posted database on BreachForums.

Pattern: third-party AI tool → OAuth → identity → platform → customer secrets

▲ CASE 02 · APR 30 – MAY 12 2026

Canvas / Instructure · free-tier abuse + extortion

275Mrecords · 3.65 TB · ~9,000 institutions

Chain: ShinyHunters found vulnerability in Canvas Free-For-Teacher account mechanism → exfiltrated 3.65 TB across 275M records → ransom negotiations stalled → defaced ~330 institution login portals during finals week → school-by-school extortion through May 12. Names, emails, student IDs, private inbox messages exposed.

Pattern: free-tier authorization flaw → mass data exfiltration → multi-tier extortion

Defensive infrastructure for memory safety is 25+ years mature. Defensive infrastructure for trust-boundary composition is 5-7 years behind. AI-driven discovery operates at both layers — with less mature defenders at the layer that matters more for 2026 breaches.

Operational response · four audiences

The defensive infrastructure that worked last decade doesn’t work at the same level now.

Adaptation is necessary. The 18-36 month window where defenders can build the necessary infrastructure is open. Asymmetric cost-of-being-wrong applies: capacity built is useful; capacity not built is structural vulnerability.

Operational response · by stakeholder

Calibrated to the new asymmetries · not to the historical defensive playbook.

▲ FOR CISOs
+ SECURITY TEAMS

Monitor upstream commits. Compress patch SLAs.

Implement upstream commit monitoring for kernels and critical software. Subscribe to mainline security lists. Evaluate suspicious commits with internal AI tooling. Target 72-hour deployment for kernel patches, 7-day for major apps, 14-day for everything else. Audit OAuth permission landscape. Treat SaaS supply chain as tier-1 infrastructure.

▲ FOR SOFTWARE
PUBLISHERS

Your commits document where your bugs are.

Security-shaped commits are findable by AI. Move toward private bug coordination for high-severity findings. Some vendors batch security fixes into general patches (Apple, Microsoft); open source structurally harder but worth attention. Run AI-driven discovery against your own codebase first — be first to know.

▲ FOR
POLICYMAKERS

Disclosure framework needs explicit policy attention.

Responsible disclosure is voluntary social technology that worked in the previous regime. Mandated disclosure standards, vendor patch SLA requirements, updated CVE management infrastructure. Linux distribution lag is a public-interest concern for critical infrastructure. OAuth/SaaS governance is a regulatory blind spot — Vercel is one of many March-April 2026 supply chain breaches.

▲ FOR
EVERYONE ELSE

Two-factor everything. Watch your OAuth grants.

Authenticator apps, not SMS. Passkeys where available. Aggressive credential rotation. Assume your SaaS providers will be breached — have a rotation playbook. Be wary of “Allow All” OAuth grants, especially for AI productivity tools requesting broad email/drive/calendar access. The Vercel chain started here.

The 90-day window collapsed. The knowledge floor collapsed. The bugs moved layers. Three asymmetries compound. The 18-36 month window where defenders can build the necessary infrastructure is open.

— Software security · the disclosure collapse · Part 2 · May 2026

Source dossier · the receipts

732 Bytes to Root · the cost-curve collapse · Part 1
Theori / Xint Code · Copy Fail: 732 Bytes to Root · xint.io · Apr 29 2026
Linux kernel mainline patch · commit fafe0fa2995a · Apr 1 2026
CVE-2026-31431 · NVD · CVSS 7.8 (High) · CISA KEV listed
Project Zero · 90-day coordinated disclosure policy · 2014
Vercel Security Bulletin · April 2026 · vercel.com/kb/bulletin/vercel-april-2026-security-incident
Trend Micro · The Vercel Breach: OAuth Supply Chain Attack · Apr 21 2026
The Hacker News · Vercel Breach Tied to Context AI Hack
TechCrunch · Zack Whittaker · App host Vercel says it was hacked · Apr 20 2026
Hudson Rock · Context.ai Lumma Stealer compromise · Feb 2026
BleepingComputer · Vercel breach disclosure · Apr 19 2026
Instructure security incident · official disclosures · May 1-12 2026
Halcyon · Education Sector in the Crosshairs: ShinyHunters’ Extortion Campaign Against Instructure
Wikipedia · 2026 Canvas security incident · ongoing as of May 12 2026
CNN · Canvas hack: What we know · May 2026
Hackread · ShinyHunters Instructure + Vimeo breaches · May 2026
Anthropic Claude Mythos Preview System Card · Apr 7 2026
Alan Turing Institute / CETaS · Claude Mythos cybersecurity analysis
UK AI Security Institute · Mythos cyber capability evaluation

Colophon · Part 2

Set in Source Serif 4, IBM Plex Sans, & IBM Plex Mono. Security-advisory aesthetic. Free to embed with attribution.

thorstenmeyerai.com

Software security · the disclosure collapse · Part 2 of 2 · May 2026

28 days · 275M records · $2M · “find it”

Implications of the Disappearance of the 90-Day Window

The collapse of the 90-day disclosure window marks a new era in cybersecurity, where attackers can rapidly weaponize vulnerabilities before organizations can respond. This shift challenges existing patching and defense strategies, emphasizing the need for proactive monitoring and AI-driven security measures. The trend also raises questions about the future of responsible disclosure and the role of vendors in a landscape where information is exploited almost instantaneously.

Evolving Vulnerability Discovery and Response Practices

The 90-day coordinated disclosure policy, established in the early 2000s and popularized by Google Project Zero in 2014, was based on the assumption that reverse engineering patches takes significant time, allowing defenders to deploy patches before attackers can exploit vulnerabilities publicly. However, recent technological advances, especially in AI, have drastically shortened or eliminated this window.

The April 1, 2026, Linux kernel commit for Copy Fail exemplifies this shift. The patch was public from the moment it was committed, and AI tools could analyze the diff, understand the bug, and develop exploits within minutes. This undermines the core assumptions of the traditional disclosure model and accelerates the threat landscape.

Furthermore, recent breaches at Vercel and Canvas demonstrate that the most critical vulnerabilities now lie in trust boundaries—OAuth permissions, SaaS-to-SaaS integrations, environment variables—areas that are less protected by traditional memory safety defenses.

“The collapse of the 90-day window fundamentally alters the cybersecurity landscape, making real-time exploitation a new norm.”

— Thorsten Meyer

Unresolved Questions About Future Security Practices

It remains unclear how organizations will adapt their security and patching strategies in response to the accelerated threat timeline. The long-term effectiveness of current defenses against AI-enabled exploits is also uncertain, as is the potential for new regulatory or industry standards to emerge.

Next Steps for Security Stakeholders in a Rapid-Exploit Era

Organizations will need to enhance their real-time monitoring capabilities, leverage AI for threat detection, and reconsider traditional patching timelines. Industry and regulators may also explore new frameworks to address the diminished role of the 90-day window, possibly emphasizing proactive defense and zero-trust architectures. Ongoing research and case studies from recent breaches will shape these developments in the coming months.

Key Questions

Why is the 90-day disclosure window no longer effective?

Advances in AI enable exploits to be reconstructed and weaponized within minutes of a patch’s public release, eliminating the buffer period that the 90-day window was designed to provide.

What vulnerabilities are most affected by this shift?

Trust boundary vulnerabilities, such as OAuth scopes, SaaS integrations, and environment-variable handling, are now more critical than traditional memory safety bugs, as they are less protected by existing defenses.

How should organizations respond to this new threat landscape?

Organizations should adopt real-time monitoring, AI-driven threat detection, and zero-trust security models to mitigate risks posed by rapid exploit development.

Will vendors change their disclosure policies?

It is uncertain; some experts suggest new frameworks may be needed, but current practices are unlikely to revert to the traditional 90-day model given the technological realities.

What role will AI play in future cybersecurity efforts?

AI will be both a tool for defenders to detect threats faster and a weapon for attackers to develop exploits more quickly, fundamentally transforming cybersecurity dynamics.

Source: ThorstenMeyerAI.com