📊 Full opportunity report: The 90-Day Window Closed. Nobody Sent a Notice. on ThorstenMeyerAI.com — validation score, market gap, and execution plan.

The 90-day window for responsible disclosure of security vulnerabilities has closed without any notices from vendors or researchers, marking a fundamental shift in cybersecurity dynamics.

Historically, the 90-day coordinated disclosure window, established by initiatives like Google Project Zero in 2014, provided a structured period for vendors to patch vulnerabilities after they were reported by researchers. This window was designed to give defenders time to deploy patches before exploits could be weaponized publicly. However, in 2026, this framework has been effectively broken by advances in AI-driven vulnerability discovery.

Recent developments include the disclosure of the Linux kernel patch for the Copy Fail vulnerability on April 29, 2026, after the patch was committed on April 1. AI systems can now monitor kernel commits, analyze diffs, and reconstruct exploits within minutes—far faster than human reverse engineering. During the four-week window between the commit and public disclosure, attackers with AI tools could have identified and weaponized the bug before the patch was publicly available, undermining the original protective purpose of the window.

Furthermore, the collapse of the knowledge floor—where previously only highly trained security researchers could find zero-days—has been accelerated by AI prompting, enabling engineers with minimal security expertise to generate exploits. This has shifted the nature of threats, with more sophisticated attackers able to act swiftly and with less specialized knowledge. Recent breaches at Vercel and Canvas illustrate that the most critical vulnerabilities now lie in trust boundaries—OAuth scopes, SaaS permissions, environment variables—areas that traditional defenses do not adequately protect.

DISPATCH / MAY 2026 SECURITY · DISCLOSURE COLLAPSE · COMMIT MONITORING · PART 2

▲ Part 2 · Security Disclosure Closed · May 2026

Software Security · Part 2 · The Disclosure Collapse

The 90-day window closed.
Nobody sent a notice.

The commit-monitoring window. The knowledge floor. And what Vercel and Canvas reveal about where the bugs actually live.

Copy Fail’s mainline patch landed April 1. Public disclosure was April 29. The 28 days between commit and disclosure are the dangerous window — AI can rediscover the bug from the diff in minutes, while distribution patches take 2-8 weeks to reach end-user systems. Three asymmetries compound: time, expertise, knowledge category. Defender disadvantage compounds across all three.

Thorsten Meyer / ThorstenMeyerAI.com / May 2026 · Part 2

▲ THE THREE ASYMMETRIES · ALL FAVOR THE ATTACKER NOW

Asymmetry 01

Time

90-day window collapses to diff-to-exploit minutes. Distribution lag becomes the structural vulnerability window.

Asymmetry 02

Expertise

5-10 year apprenticeship pipeline collapses to “find a security vulnerability” prompt + API access.

Asymmetry 03

Category

Memory safety → trust-boundary composition. Defensive infrastructure built for the wrong layer.

Defender disadvantage compounds across all three. Faster exploitation + more attackers + harder vulnerability category with less mature defense.

28days

Copy Fail · mainline commit → public disclosure

Apr 1 commit · Apr 29 disclosure · the dangerous window

$2M

Vercel customer data · BreachForums asking price

OAuth supply chain · Context.ai → Google Workspace

275M

Canvas records exfiltrated · ~9,000 institutions

ShinyHunters · Free-For-Teacher vulnerability · 3.65 TB

“find it”

Mythos prompt complexity · no security training

“Please find a security vulnerability in this program”

● 28-DAY WINDOW COPY FAIL MAINLINE COMMIT APR 1 → DISCLOSURE APR 29 · BUG REDISCOVERABLE FROM DIFF ● VERCEL APR 19 CONTEXT.AI → OAUTH → GOOGLE WORKSPACE → VERCEL ENV VARS → $2M BREACHFORUMS ● CANVAS MAY 1-12 SHINYHUNTERS · 275M RECORDS · 9,000 INSTITUTIONS · FINALS WEEK OUTAGE ● KNOWLEDGE FLOOR “PLEASE FIND A SECURITY VULNERABILITY” · NO TRAINING REQUIRED · ENGINEERS PRODUCED WORKING EXPLOITS ● DISTRIBUTION LAG MAINLINE → STABLE → DISTRO PACKAGE → DEPLOY · 2-8 WEEKS TYPICAL · LEGACY: NEVER ● CATEGORY SHIFT OAUTH SCOPES · SAAS TRUST · ENV VARS · FREE-TIER ABUSE · NOT MEMORY SAFETY ● 28-DAY WINDOW COPY FAIL · APR 1 COMMIT → APR 29 DISCLOSURE · BUG REDISCOVERABLE FROM DIFF

Asymmetry 01 · time · the commit-monitoring window

The patch is now the disclosure event.

Responsible disclosure orthodoxy: bug stays private until vendor patches. For open source, this has never been fully true — git commits are public in real-time. Copy Fail’s mainline patch landed April 1. Public disclosure was April 29. The 28 days between are the dangerous window.

Copy Fail · the disclosure-to-deployment timeline

Mainline commit is public from the moment it lands. Distribution propagation takes 2-8 weeks. AI processes the diff in minutes.

Apr 12026

Mainline commit lands. Linux kernel git tree publishes fafe0fa2995a reverting the 2017 in-place AEAD optimization. Patch is now public.

PUBLIC
INSTANT

~Apr 102026

Stable kernel backports. Greg KH’s stable trees include the patch. Still: no distribution package yet · no end-user deployment.

STABLE
TREES

Apr 292026

Public disclosure by Theori. CVE-2026-31431 announced. Most defenders learn of the bug 28 days after the patch was public on kernel.org.

CVE
PUBLIC

Apr 30 → May 72026

Distribution packages. Ubuntu, Amazon Linux, RHEL, SUSE, Debian, Fedora, Arch ship patched kernel packages. Each on its own schedule.

PACKAGES
AVAILABLE

+weeks → +months2026

End-user deployment. 30-day patch SLA · slower for regulated environments · effectively never for legacy systems without security updates.

DEPLOYED
SLOWLY

The 90-day window assumed private patches. Open-source patches are public from minute zero. The framework is misaligned with the capability landscape.

Asymmetry 02 · expertise · the knowledge floor collapse

Cybersecurity Analyst Coffee Mug – Vulnerability Scanner by Day Ninja by Night – 11 oz White Ceramic – Bold Design

BOLD CYBERSECURITY DESIGN: Features the phrase 'Vulnerability Scanner by Day Ninja by Night' with striking alert icons and…

AmazonView Latest Price

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

“Please find a security vulnerability.”
No training required.

The historical pipeline for becoming a top-tier vulnerability researcher took 5-10 years of human apprenticeship. Kernel internals. Processor architecture. Exploit-mitigation-bypass craft. Decompiler-output reading. All baked into frontier model training data.

The knowledge floor · before AI / now

Who can do vulnerability research. Pool of capable actors expands by orders of magnitude.

▲ Before · 2015-2023

Senior researcher path

• CS degree with security specialization
• 3-5 years red team / CTF / firm experience
• 2-3 years senior research with reportable findings
• Tacit knowledge: kernel internals, decompiler output reading, exploit-mitigation-bypass craft
• Global pool: ~200-500 senior researchers per decade
• Apprenticeship: mentored by existing experts

→

▲ Now · 2026

API access + one prompt

• Frontier model API access ($20-200/month for individuals)
• One prompt: “Please find a security vulnerability”
• No security training required (Anthropic / AISI / CETaS verified)
• Tacit knowledge baked in from model training
• Pool of capable actors: millions globally
• Bottleneck: willingness to use it, not skill

The prompt Anthropic used to discover vulnerabilities with Mythos “essentially amounted to ‘Please find a security vulnerability in this program.'” Engineers with no formal security training were able to generate complete, working exploits.

— Alan Turing Institute · CETaS · Claude Mythos cybersecurity analysis

Asymmetry 03 · category · where the bugs actually live

Cute-Patch It Works on My Machine Meme Embroidered Iron on sew on Patch Funny Emblem Programmer Humor

Size: 3 inches tall

AmazonView Latest Price

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Memory safety isn’t where the breaches happen anymore.

Decades of defensive infrastructure built around memory safety (ASLR, NX bits, CFI, stack canaries). The most consequential breaches of April-May 2026 are not memory-safety bugs. They are trust-boundary failures at integration seams.

Two case studies · April-May 2026

No memory corruption. No kernel exploit. Trust-boundary composition failures. Mature defensive infrastructure for memory safety doesn’t apply here.

The bugs that matter most have shifted from memory safety to trust-boundary composition. OAuth scopes. SaaS-to-SaaS authentication. Multi-tier account models. Third-party app permissions. Environment variable handling. Defensive tooling for this layer is 5-7 years behind memory-safety discipline.

▲ CASE 01 · APR 19 2026

Vercel · the OAuth supply chain attack

$2MBreachForums asking price

Chain: Lumma Stealer infected Context.ai employee (Feb 2026) → harvested Google Workspace OAuth tokens → attacker used token to access Vercel employee Google Workspace → pivoted into Vercel account → enumerated and decrypted non-sensitive env variables → exfiltrated customer credentials → posted database on BreachForums.

Pattern: third-party AI tool → OAuth → identity → platform → customer secrets

▲ CASE 02 · APR 30 – MAY 12 2026

Canvas / Instructure · free-tier abuse + extortion

275Mrecords · 3.65 TB · ~9,000 institutions

Chain: ShinyHunters found vulnerability in Canvas Free-For-Teacher account mechanism → exfiltrated 3.65 TB across 275M records → ransom negotiations stalled → defaced ~330 institution login portals during finals week → school-by-school extortion through May 12. Names, emails, student IDs, private inbox messages exposed.

Pattern: free-tier authorization flaw → mass data exfiltration → multi-tier extortion

Defensive infrastructure for memory safety is 25+ years mature. Defensive infrastructure for trust-boundary composition is 5-7 years behind. AI-driven discovery operates at both layers — with less mature defenders at the layer that matters more for 2026 breaches.

Operational response · four audiences

AI in Cybersecurity for SMBs: Simplifying Cyber Risk with Smart, Affordable Tools for Small Business Defense (AI Cybersecurity for SMBs)

AmazonView Latest Price

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

The defensive infrastructure that worked last decade doesn’t work at the same level now.

Adaptation is necessary. The 18-36 month window where defenders can build the necessary infrastructure is open. Asymmetric cost-of-being-wrong applies: capacity built is useful; capacity not built is structural vulnerability.

Operational response · by stakeholder

Calibrated to the new asymmetries · not to the historical defensive playbook.

▲ FOR CISOs
+ SECURITY TEAMS

Monitor upstream commits. Compress patch SLAs.

Implement upstream commit monitoring for kernels and critical software. Subscribe to mainline security lists. Evaluate suspicious commits with internal AI tooling. Target 72-hour deployment for kernel patches, 7-day for major apps, 14-day for everything else. Audit OAuth permission landscape. Treat SaaS supply chain as tier-1 infrastructure.

▲ FOR SOFTWARE
PUBLISHERS

Your commits document where your bugs are.

Security-shaped commits are findable by AI. Move toward private bug coordination for high-severity findings. Some vendors batch security fixes into general patches (Apple, Microsoft); open source structurally harder but worth attention. Run AI-driven discovery against your own codebase first — be first to know.

▲ FOR
POLICYMAKERS

Disclosure framework needs explicit policy attention.

Responsible disclosure is voluntary social technology that worked in the previous regime. Mandated disclosure standards, vendor patch SLA requirements, updated CVE management infrastructure. Linux distribution lag is a public-interest concern for critical infrastructure. OAuth/SaaS governance is a regulatory blind spot — Vercel is one of many March-April 2026 supply chain breaches.

▲ FOR
EVERYONE ELSE

Two-factor everything. Watch your OAuth grants.

Authenticator apps, not SMS. Passkeys where available. Aggressive credential rotation. Assume your SaaS providers will be breached — have a rotation playbook. Be wary of “Allow All” OAuth grants, especially for AI productivity tools requesting broad email/drive/calendar access. The Vercel chain started here.

The 90-day window collapsed. The knowledge floor collapsed. The bugs moved layers. Three asymmetries compound. The 18-36 month window where defenders can build the necessary infrastructure is open.

— Software security · the disclosure collapse · Part 2 · May 2026

NEOSIGN Hidden Camera Detector, Anti-Spy Camera Finder RF Signal & WiFi Scanner Hidden Devices Detector for GPS Trackers,5 Levels Sensitivity 4 Modes,Signal Scanner for Hotels,Car, Office, Travel

【4-in-1 Multi Functional Detector】 This portable device integrates wireless signal scanning, infrared detection, magnetic GPS tracking, a built-in…

AmazonView Latest Price

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Implications of the Disrupted Disclosure Framework

The end of the 90-day window signifies a paradigm shift in cybersecurity. It reduces the time defenders have to respond to vulnerabilities and increases the risk of exploits being weaponized before patches are widely deployed. This change favors attackers, especially those equipped with AI tools, and calls into question the effectiveness of existing patch management strategies. It also highlights the need for new security models focused on trust boundaries and third-party integrations, which are now the most vulnerable points.

Evolution of Vulnerability Disclosure and AI Impact

The 90-day coordinated disclosure model was introduced to balance the interests of researchers and vendors, providing a predictable window for patching vulnerabilities. Over time, it became a cornerstone of responsible security practices. However, recent advances in AI—such as Theori’s Xint Code—have drastically reduced the time needed to analyze patches and develop exploits. The Linux kernel commit for Copy Fail on April 1, 2026, exemplifies how AI can rapidly reconstruct exploits from diff analysis, making the previous window obsolete.

In addition, recent breaches at Vercel (April 19) and Canvas (ongoing since May 1) reveal that vulnerabilities now often stem from trust boundary failures rather than memory safety bugs. These include OAuth misconfigurations and SaaS permissions, areas traditionally less protected by existing security measures. The combination of rapid AI discovery and shifting vulnerability types signals a need to rethink disclosure and defense strategies.

“Our recent breach highlighted how trust boundary failures are now the primary attack vector, which existing defenses are ill-equipped to handle.”

— Vercel security team

Unclear Impact on Future Disclosure Practices

It remains uncertain how industry standards and regulations will adapt to this new reality. While the collapse of the traditional window is evident, there is no consensus on alternative disclosure frameworks or how to enforce faster patching cycles in an AI-dominated environment. The long-term implications for responsible disclosure and vulnerability management are still being debated among stakeholders.

Next Steps for Security Stakeholders

Security organizations and vendors are expected to reevaluate their incident response and patch management strategies. Discussions around new disclosure models, possibly incorporating real-time or continuous patching, are likely to accelerate. Additionally, increased focus on securing trust boundaries and third-party integrations will become a priority to mitigate vulnerabilities that AI tools can now discover rapidly. Monitoring developments in regulation and industry standards will be critical for adapting to this evolving threat landscape.

Key Questions

What caused the collapse of the 90-day disclosure window?

Advances in AI-driven vulnerability discovery, such as those demonstrated by Theori’s Xint Code, enable exploits to be reconstructed and weaponized within minutes of a patch being committed, effectively rendering the traditional 90-day window obsolete.

How does AI accelerate exploit development?

AI systems can analyze code diffs, identify security issues, and generate exploits rapidly—often within minutes—compared to hours or days required by human researchers, collapsing the previous time advantage for defenders.

What vulnerabilities are now most critical in 2026?

Trust boundary failures, including OAuth scope misconfigurations, SaaS-to-SaaS permissions, environment variables, and third-party app permissions, are now the most impactful vulnerabilities, surpassing traditional memory-safety bugs.

Will the industry adopt new disclosure standards?

It is unclear at this stage. While the current trends suggest a move toward faster or continuous disclosure models, no consensus has been reached, and regulatory frameworks are still evolving.

What can organizations do to protect themselves now?

Organizations should focus on securing trust boundaries, implementing strict access controls, monitoring third-party integrations, and adopting proactive security measures tailored to AI-driven discovery threats.

Source: ThorstenMeyerAI.com