📊 Full opportunity report: The 90-Day Window Closed. Nobody Sent a Notice. on ThorstenMeyerAI.com — validation score, market gap, and execution plan.

TL;DR

The traditional 90-day window for responsible vulnerability disclosure has effectively closed, as no notices or patches were sent within the period after a major Linux kernel bug was committed. This shift is driven by AI-driven vulnerability discovery, which enables attackers to exploit bugs before patches are publicly available, altering the cybersecurity landscape.

The 90-day coordinated disclosure window for the Linux kernel vulnerability known as Copy Fail has officially closed without any notices or patches from vendors or researchers, marking a significant shift in cybersecurity dynamics. This development underscores how AI-driven vulnerability discovery is transforming traditional defense mechanisms and attack timelines, making this a critical moment for cybersecurity stakeholders.

On April 1, 2026, a patch for the Linux kernel vulnerability dubbed Copy Fail was committed. Despite the patch being public from the moment of commit, no security notice or patch was issued by vendors or researchers during the subsequent four-week period, which traditionally serves as a window for responsible disclosure. This period has historically provided defenders time to deploy patches before attackers could exploit the bug.

However, recent advances in AI-driven vulnerability detection, exemplified by tools like Theori’s Xint Code, enable attackers to monitor kernel commits in real-time, analyze diffs, and develop exploits within minutes. As a result, the window of opportunity for defenders has shrunk dramatically, and the concept of a ‘responsible’ 90-day window is no longer valid. Experts warn that this change favors attackers, who can weaponize bugs before patches are publicly available.

The 90-Day Window Closed. Nobody Sent a Notice.

DISPATCH / MAY 2026 SECURITY · DISCLOSURE COLLAPSE · COMMIT MONITORING · PART 2

▲ Part 2 · Security Disclosure Closed · May 2026

Software Security · Part 2 · The Disclosure Collapse

The 90-day window closed.
Nobody sent a notice.

The commit-monitoring window. The knowledge floor. And what Vercel and Canvas reveal about where the bugs actually live.

Copy Fail’s mainline patch landed April 1. Public disclosure was April 29. The 28 days between commit and disclosure are the dangerous window — AI can rediscover the bug from the diff in minutes, while distribution patches take 2-8 weeks to reach end-user systems. Three asymmetries compound: time, expertise, knowledge category. Defender disadvantage compounds across all three.

Thorsten Meyer / ThorstenMeyerAI.com / May 2026 · Part 2

▲ THE THREE ASYMMETRIES · ALL FAVOR THE ATTACKER NOW

Asymmetry 01

Time

90-day window collapses to diff-to-exploit minutes. Distribution lag becomes the structural vulnerability window.

Asymmetry 02

Expertise

5-10 year apprenticeship pipeline collapses to “find a security vulnerability” prompt + API access.

Asymmetry 03

The patch is now the disclosure event.

Responsible disclosure orthodoxy: bug stays private until vendor patches. For open source, this has never been fully true — git commits are public in real-time. Copy Fail’s mainline patch landed April 1. Public disclosure was April 29. The 28 days between are the dangerous window.

Copy Fail · the disclosure-to-deployment timeline

Mainline commit is public from the moment it lands. Distribution propagation takes 2-8 weeks. AI processes the diff in minutes.

Apr 12026

Mainline commit lands. Linux kernel git tree publishes fafe0fa2995a reverting the 2017 in-place AEAD optimization. Patch is now public.

PUBLIC
INSTANT

~Apr 102026

Stable kernel backports. Greg KH’s stable trees include the patch. Still: no distribution package yet · no end-user deployment.

STABLE
TREES

Apr 292026

Public disclosure by Theori. CVE-2026-31431 announced. Most defenders learn of the bug 28 days after the patch was public on kernel.org.

CVE
PUBLIC

Apr 30 → May 72026

Distribution packages. Ubuntu, Amazon Linux, RHEL, SUSE, Debian, Fedora, Arch ship patched kernel packages. Each on its own schedule.

PACKAGES
AVAILABLE

+weeks → +months2026

End-user deployment. 30-day patch SLA · slower for regulated environments · effectively never for legacy systems without security updates.

DEPLOYED
SLOWLY

The 90-day window assumed private patches. Open-source patches are public from minute zero. The framework is misaligned with the capability landscape.

Asymmetry 02 · expertise · the knowledge floor collapse

Amazon

Linux kernel vulnerability detection tools

As an affiliate, we earn on qualifying purchases.

“Please find a security vulnerability.”
No training required.

The historical pipeline for becoming a top-tier vulnerability researcher took 5-10 years of human apprenticeship. Kernel internals. Processor architecture. Exploit-mitigation-bypass craft. Decompiler-output reading. All baked into frontier model training data.

The knowledge floor · before AI / now

Who can do vulnerability research. Pool of capable actors expands by orders of magnitude.

▲ Before · 2015-2023

Senior researcher path

CS degree with security specialization
3-5 years red team / CTF / firm experience
2-3 years senior research with reportable findings
Tacit knowledge: kernel internals, decompiler output reading, exploit-mitigation-bypass craft
Global pool: ~200-500 senior researchers per decade
Apprenticeship: mentored by existing experts

→

▲ Now · 2026

API access + one prompt

Frontier model API access ($20-200/month for individuals)
One prompt: “Please find a security vulnerability”
No security training required (Anthropic / AISI / CETaS verified)
Tacit knowledge baked in from model training
Pool of capable actors: millions globally
Bottleneck: willingness to use it, not skill

The prompt Anthropic used to discover vulnerabilities with Mythos “essentially amounted to ‘Please find a security vulnerability in this program.'” Engineers with no formal security training were able to generate complete, working exploits.

— Alan Turing Institute · CETaS · Claude Mythos cybersecurity analysis

Asymmetry 03 · category · where the bugs actually live

Amazon

AI cybersecurity monitoring software

As an affiliate, we earn on qualifying purchases.

Memory safety isn’t where the breaches happen anymore.

Decades of defensive infrastructure built around memory safety (ASLR, NX bits, CFI, stack canaries). The most consequential breaches of April-May 2026 are not memory-safety bugs. They are trust-boundary failures at integration seams.

Two case studies · April-May 2026

No memory corruption. No kernel exploit. Trust-boundary composition failures. Mature defensive infrastructure for memory safety doesn’t apply here.

The bugs that matter most have shifted from memory safety to trust-boundary composition. OAuth scopes. SaaS-to-SaaS authentication. Multi-tier account models. Third-party app permissions. Environment variable handling. Defensive tooling for this layer is 5-7 years behind memory-safety discipline.

▲ CASE 01 · APR 19 2026

Vercel · the OAuth supply chain attack

$2MBreachForums asking price

Chain: Lumma Stealer infected Context.ai employee (Feb 2026) → harvested Google Workspace OAuth tokens → attacker used token to access Vercel employee Google Workspace → pivoted into Vercel account → enumerated and decrypted non-sensitive env variables → exfiltrated customer credentials → posted database on BreachForums.

Pattern: third-party AI tool → OAuth → identity → platform → customer secrets

▲ CASE 02 · APR 30 – MAY 12 2026

Canvas / Instructure · free-tier abuse + extortion

275Mrecords · 3.65 TB · ~9,000 institutions

Chain: ShinyHunters found vulnerability in Canvas Free-For-Teacher account mechanism → exfiltrated 3.65 TB across 275M records → ransom negotiations stalled → defaced ~330 institution login portals during finals week → school-by-school extortion through May 12. Names, emails, student IDs, private inbox messages exposed.

Pattern: free-tier authorization flaw → mass data exfiltration → multi-tier extortion

Defensive infrastructure for memory safety is 25+ years mature. Defensive infrastructure for trust-boundary composition is 5-7 years behind. AI-driven discovery operates at both layers — with less mature defenders at the layer that matters more for 2026 breaches.

Operational response · four audiences

Amazon

software patch management tools

As an affiliate, we earn on qualifying purchases.

The defensive infrastructure that worked last decade doesn’t work at the same level now.

Adaptation is necessary. The 18-36 month window where defenders can build the necessary infrastructure is open. Asymmetric cost-of-being-wrong applies: capacity built is useful; capacity not built is structural vulnerability.

Operational response · by stakeholder

Calibrated to the new asymmetries · not to the historical defensive playbook.

▲ FOR CISOs
+ SECURITY TEAMS

Monitor upstream commits. Compress patch SLAs.

Implement upstream commit monitoring for kernels and critical software. Subscribe to mainline security lists. Evaluate suspicious commits with internal AI tooling. Target 72-hour deployment for kernel patches, 7-day for major apps, 14-day for everything else. Audit OAuth permission landscape. Treat SaaS supply chain as tier-1 infrastructure.

▲ FOR SOFTWARE
PUBLISHERS

Your commits document where your bugs are.

Security-shaped commits are findable by AI. Move toward private bug coordination for high-severity findings. Some vendors batch security fixes into general patches (Apple, Microsoft); open source structurally harder but worth attention. Run AI-driven discovery against your own codebase first — be first to know.

▲ FOR
POLICYMAKERS

Disclosure framework needs explicit policy attention.

Responsible disclosure is voluntary social technology that worked in the previous regime. Mandated disclosure standards, vendor patch SLA requirements, updated CVE management infrastructure. Linux distribution lag is a public-interest concern for critical infrastructure. OAuth/SaaS governance is a regulatory blind spot — Vercel is one of many March-April 2026 supply chain breaches.

▲ FOR
EVERYONE ELSE

Two-factor everything. Watch your OAuth grants.

Authenticator apps, not SMS. Passkeys where available. Aggressive credential rotation. Assume your SaaS providers will be breached — have a rotation playbook. Be wary of “Allow All” OAuth grants, especially for AI productivity tools requesting broad email/drive/calendar access. The Vercel chain started here.

The 90-day window collapsed. The knowledge floor collapsed. The bugs moved layers. Three asymmetries compound. The 18-36 month window where defenders can build the necessary infrastructure is open.

— Software security · the disclosure collapse · Part 2 · May 2026

Amazon

cybersecurity vulnerability scanner

As an affiliate, we earn on qualifying purchases.

Implications of the Disappearance of the 90-Day Window

This development fundamentally alters the cybersecurity landscape, shifting the advantage from defenders to attackers. The collapse of the traditional disclosure window means that vulnerabilities can be exploited immediately after they are committed, reducing the time defenders have to respond. It also highlights how AI tools are lowering the barrier for attackers, enabling even less skilled actors to identify and exploit bugs rapidly. This change increases the urgency for organizations to rethink their security strategies and adopt AI-aware defenses.

Evolving Security Practices in the AI Era

Since the early 2000s, the responsible disclosure model relied on a 90-day window, allowing vendors time to patch vulnerabilities before they were publicly disclosed. This framework was based on assumptions that reverse engineering patches took significant time, and that attackers needed additional time to develop exploits after public disclosure. However, in 2026, AI-driven tools can analyze patches and commits instantly, reconstruct exploits within minutes, and monitor code repositories continuously. The Linux kernel’s Copy Fail bug exemplifies this shift, with the patch released on April 1 but potentially exploitable immediately due to AI monitoring.

Recent incidents, including breaches at Vercel and Canvas, reveal that the most critical vulnerabilities now often lie at trust boundaries—such as OAuth scopes and SaaS integrations—rather than kernel memory safety bugs. These vulnerabilities are less protected by traditional defenses and more susceptible to AI-facilitated discovery and exploitation.

“The collapse of the 90-day window signifies a paradigm shift, where AI tools enable attackers to exploit vulnerabilities before defenders can respond.”
— Thorsten Meyer

Unresolved Questions About Future Security Dynamics

It remains unclear how widespread the immediate exploitation of the Copy Fail bug has been, and whether other vulnerabilities are similarly being exploited in real-time. The extent to which vendors and organizations can adapt their detection and patching processes to the AI-driven landscape is also still uncertain. Additionally, the long-term implications of trust-boundary vulnerabilities taking precedence over memory-safety bugs are still emerging, with ongoing debate about necessary defensive innovations.

Next Steps for Security Stakeholders in a Post-Window Era

Security teams and vendors are expected to accelerate AI integration into their monitoring and patching workflows. Researchers may shift focus toward trust-boundary vulnerabilities and supply chain security. Policymakers and industry groups might consider revising disclosure frameworks to account for the rapid pace enabled by AI tools. Monitoring of exploit activity and further case studies of breaches like Vercel and Canvas will shape future best practices. The next 12-24 months will be critical for adapting to this new paradigm.

Key Questions

What does the end of the 90-day window mean for organizations?

It means organizations must enhance their real-time monitoring and response capabilities, as vulnerabilities can be exploited immediately after discovery without waiting for patches or disclosures.

How does AI-driven discovery change the role of security researchers?

AI tools now enable even non-expert actors to identify and exploit vulnerabilities quickly, reducing the traditional advantage held by skilled security researchers and reverse engineers.

Are there any defenses against AI-facilitated exploitation?

Defenses are evolving to include AI-aware detection systems, continuous monitoring, and rapid patch deployment, but the landscape remains highly dynamic and challenging.

What vulnerabilities are now most concerning?

Trust boundary flaws, such as OAuth scope misconfigurations, SaaS-to-SaaS authentication issues, and environment-variable abuse, are now among the most critical vulnerabilities, surpassing traditional memory-safety bugs.

Source: ThorstenMeyerAI.com

This content is for general information only and is not financial, tax or legal advice. Consult a qualified professional for decisions about your money.

The 90-Day Window Closed. Nobody Sent a Notice.

Author

Influenctor Team

Share article

The 90-day window closed.
Nobody sent a notice.

The patch is now the disclosure event.

Linux kernel vulnerability detection tools