AI compresses the patch cycle from 90 days to minutes

The 90-day disclosure window was built for a world where vulnerability discovery, patch validation, and exploit development happened on different clocks. That assumption is breaking.

According to recent reporting from The Decoder, AI-assisted tools are now collapsing the lag between patch release and weaponized exploit to roughly 30 minutes in some cases. The same dynamic is also making vulnerability discovery itself feel less sequential and more simultaneous: when one researcher finds a flaw, others using similar models and tooling can converge on the same bug almost immediately. In practice, that means the old cadence — find, disclose, patch, wait — is losing its protective value.

That is the technical significance of the shift. The danger is not just that AI helps attackers write better payloads. It is that AI reduces the time required to move from signal to exploit so much that time-based defenses stop working. A patched vulnerability is no longer necessarily a safe vulnerability. If an attacker can reverse-engineer a patch into a working exploit in minutes, then the interval in which operators used to schedule maintenance, test updates, and roll out fixes has effectively disappeared.

This changes the economics of disclosure. The traditional model assumed vendors had a buffer: even after a bug was public or a patch was released, defenders could usually count on days or weeks before broad exploitation matured. That buffer is now unreliable. Security teams have to plan for near-simultaneous exposure: discovery by researchers, patch publication by vendors, exploit creation by adversaries, and mass scanning in the same compressed window.

For product teams, the implication is immediate and uncomfortable. Critical bugs can no longer be treated as standard backlog items that move through ordinary release trains. They need an emergency posture: rapid triage, fast-fail verification, accelerated patch generation, and a deployment path that can push remediations into production without waiting for the next scheduled release. If a fix takes a week to ship and another week to reach most tenants, the organization is already operating outside the safe zone.

That means patch cadence is now a product design problem, not just a security operations problem. Vendors need release architectures that support hotfixes, feature flags, staged rollouts, and rollback-safe updates as first-class capabilities. Operators need automated patching at scale, coupled with precise controls so that speed does not simply trade one outage mode for another. The real operational requirement is fast, measurable, reversible remediation.

The same logic applies to enterprise software distribution, SaaS infrastructure, and embedded environments. If systems cannot accept urgent fixes quickly, then risk accumulates at the architecture layer. Products that still depend on manual approval chains, brittle change windows, or customer-managed patch schedules are effectively assuming attackers will remain slower than they are now. That assumption is no longer defensible.

Defenders need to adapt their tooling as well. Automated patch validation becomes essential because the number of emergency releases will rise and the time available for QA will shrink. CI/CD pipelines have to be able to run security regression tests, compatibility checks, and canary deployment logic quickly enough to keep up with exploit generation. In parallel, runtime protections matter more: anomaly detection, rate limiting, sandboxing, and least-privilege controls can absorb some of the damage when a flaw becomes public faster than it can be fully eradicated.

There is also a governance implication that often gets overlooked in discussions of AI and security. Disclosure policies, SLA language, vendor risk reviews, and incident playbooks were all built around older timing assumptions. If an exploit can emerge within minutes of a patch, then contractual remediation deadlines, customer notification procedures, and internal escalation paths all need to be rewritten. Governance is not just paperwork here; it determines whether the organization can legally and operationally respond at machine speed.

The broader lesson is that AI is not simply adding volume to vulnerability discovery. It is reordering the lifecycle. Discovery, validation, weaponization, and remediation are converging into a single compressed event stream. In that environment, security teams that still think in terms of quarterly patch cycles or leisurely disclosure periods will be exposed first.

The new baseline is emergency response. Vendors must assume that any critical flaw may be mirrored across researchers and adversaries almost instantly. Operators must assume that patches can become attack guidance. And product builders must design systems that can absorb rapid, automated remediation without human bottlenecks.

The 90-day window did not fail because it was poorly managed. It failed because AI made the world faster than the window was designed to contain.