Forget 90 Days to Release a Patch: AI Only Needs 30 Minutes to Breach a System

The spread of tools based on LLM (Large Language Model) is profoundly redefining the cybersecurity sector, with direct consequences on the time taken to detect and exploit software vulnerabilities. According to the analysis by researcher Himanshu Anand, the traditional standard of 90 days of "Responsible Disclosure" – the time between the notification of a vulnerability and the company's intervention before it becomes public – no longer offers sufficient guarantees in a scenario where artificial intelligence can analyze code and error patterns at unprecedented speed.

The problem does not lie in AI's superior theoretical capability compared to human researchers, but rather in its ability to operate continuously, 24/7, applying large-scale pattern recognition. This ability allows for the very rapid identification of vulnerabilities, especially in areas already known for high exposure, such as memory management, software dependencies, and zero-copy mechanisms.

Recent cases like Copy Fail and Dirty Frag, which involved the Linux kernel through local "privilege escalation" vulnerabilities, clearly illustrate the change. Both flaws exploited insecure implementations of zero-copy systems, a technique that avoids data duplication in memory to improve performance but can facilitate administrator privilege access when errors occur. Notably, Dirty Frag became public a little over a week after the initial report, much earlier than the standard window.

According to Anand, this acceleration suggests an undeniable reality: when a vulnerability is discovered by ethical researchers, there is a high probability that automated or malicious tools have already identified it or can replicate it in minimal time. One reported incident from the same researcher, involving a flaw in an e-commerce site that allowed purchases for $0, highlights how 10 researchers identified the same issue almost simultaneously within six weeks.

Triage teams also confirm this phenomenon: after the publication or reporting of new vulnerabilities, there is a rapid wave of duplicate reports. This implies that AI-based automation is pushing researchers towards the same weaknesses with an increasingly quick convergence, drastically reducing the time available for companies to apply traditional monthly patches.

Another critical element is the speed of weaponization, i.e., the time it takes for hackers to turn that vulnerability into a concrete and functional threat. Anand claims to have created a working exploit for a vulnerability already disclosed and patched in the React framework in just 30 minutes using LLM tools. This highlights how, in minimal time, even a patched software can become a risk source for those who do not install the update almost immediately.

For these reasons, Anand has taken a strong stance on the issue: every critical vulnerability must be treated as P0, i.e., the highest priority, with immediate fixes. The classic 30-day window between discovery and patch release is becoming increasingly ineffective, especially if attackers analyze repositories, source code changes, or commit differences in real-time.

The open-source world maintains significant advantages due to code transparency and the ability to develop fixes within hours, as demonstrated by the 423 security interventions published by Mozilla in April. However, the very accessibility of the code also represents a double-edged sword today, as it facilitates automated analysis of weaknesses.

On the closed-source front, the protection stemming from the unavailability of the code might be less solid than expected: decompilation, binary analysis, and AI-assisted network scans still broaden the search surface. In this context, large software companies may soon find themselves facing similar challenges.

For developers, system administrators, and vendors, the new scenario requires the integration of LLM in code review, deployment, and dependency checking processes as an effective countermeasure. Artificial intelligence is no longer just an offensive tool in the hands of attackers but a necessary component to maintain defensive competitiveness in a race that is now measured in hours, not months.