TLDR; Three posts ago I wrote baout house was on fire the most import question arises was what we should do next? The attackers already point LLMs at your code. This post is just: point the same LLMs at your own code first read the headers if you are busy. So far this series has been caffeinated me, telling everyone that the sky is falling. The 90 day window is dead.

TLDR; I read five security patches and I derived working exploits from all five. The slowest took 30 minutes and the fastest took two. An LLM did most of the heavy lifting while I pushed buttons, this is the working behind my blog the 90 day disclosure policy is dead: the gap between “patch ships” and “exploit exists” is now measured in minutes. In the first post I mentioned that a patch can be turned into a working exploit in 30 minutes.

TLDR; Score severity by collision count. Researchers ship patches not just reports. Companies redesign for a world where the exploit lands before the patch. No vendor pitch just a concrete playbook. The last post went further than I expected. NYT’s Hard Fork picked it up. The Lobsters thread had sharp questions. A few people made a fair point. “The model is broken” is a complaint not a proposal. So here is the proposal.

TLDR The 90 day responsible disclosure window was built for a world where bug finders were rare and exploit development was slow. That world is gone. LLMs have compressed both timelines to near-zero. I have seen it first hand, and so has everyone else paying attention. This post lays out why the old model is broken, with real stories, and makes one ask to the industry: treat every critical security issue as P0 and patch it immediately.

LLM generated code can ships demo logic with security issues not defenses. Here is a real world example and how it could be abused.

A lightweight, fast, and easy-to-use service for detecting LLM prompt injection attempts before they reach your model. No extra latency, no extra LLM calls — just a simple API that returns true or false.