TLDR; Score severity by collision count. Researchers ship patches not just reports. Companies redesign for a world where the exploit lands before the patch. No magic. No vendor pitch. Just the playbook. The last post went further than I expected. NYT’s Hard Fork picked it up. The Lobsters thread had sharp questions. A few people made a fair point. “The model is broken” is a complaint not a proposal. So here is the proposal.

TLDR The 90 day responsible disclosure window was built for a world where bug finders were rare and exploit development was slow. That world is gone. LLMs have compressed both timelines to near-zero. I have seen it first hand, and so has everyone else paying attention. This post lays out why the old model is broken, with real stories, and makes one ask to the industry: treat every critical security issue as P0 and patch it immediately.

LLM generated code can ships demo logic with security issues not defenses. Here is a real world example and how it could be abused.

A lightweight, fast, and easy-to-use service for detecting LLM prompt injection attempts before they reach your model. No extra latency, no extra LLM calls — just a simple API that returns true or false.