The Window and the Bet
The 90-day coordinated disclosure window is a number that looks like a principle but is actually a bet. The bet: an attacker who didn't discover a vulnerability alongside you won't independently discover it in three months. If that's true, patching before you publish closes the exposure. If it's false, you're running a ceremony.
For a long time the bet held. Finding a non-trivial vulnerability required skill, time, and often expensive tooling. Developing a working exploit required more of all three. The attacker population that could independently rediscover a specific bug within 90 days was small, and most bugs weren't interesting enough to attract them. The window was conservative but defensible.
That calibration assumed manual attacker velocity.
What's changed
Automated discovery has gotten good at whole classes of bugs, particularly missing-authorization checks. These don't announce themselves syntactically. A static analysis tool that flags dangerous function calls won't find them. A model that reads code, understands what it's supposed to do, and notices the authorization check isn't there can find them at scale across codebases, at a cost per true positive that's a fraction of what a human researcher costs.
When you can enumerate an entire class of bugs across thousands of repositories in the time it took a human to confirm a single finding, the base rate changes. A general-purpose scanner doesn't need a targeted attacker behind it. It finds whatever's there.
The organizational friction on the defender side hasn't moved to match. Enterprise patch cycles still run on human timelines: triage, prioritization, development, testing, change control, deployment. The window assumed rough symmetry between attacker rediscovery time and defender patch time. Automated discovery collapses one side of that symmetry without touching the other.
The ceremony problem
Policies like this tend to survive their reasoning. The 90-day number gets internalized as the right number, as a norm with independent status, as what responsible organizations do. The original calibration, how long it takes an attacker to independently find what you found, stops being examined because the policy itself has become load-bearing socially. Vendors plan around it. Researchers accept it as a standard. It generates reliable outcomes and so gets attributed reliable wisdom.
A policy calibrated for manual attacker velocity and evaluated for conformance to its own deadline isn't the same as a policy that protects users.
The alternatives are hard. Shorter mandatory windows pressure vendors without guaranteeing faster patches. The organizational machinery that slows patching doesn't respond to deadline pressure the way individual developers do. Immediate publication used to be dismissed because it handed attackers a working exploit before any patch existed. That argument has weakened: if the same automated tools can find these bugs independently, the exploit doesn't wait for disclosure. Differential windows by bug class, where easily-automated bugs get 30 days and novel chain attacks get 90+, add coordination overhead and require defenders to accurately assess attacker automation capability, which is its own hard problem.
What's clear is that the 90-day number encoded an empirical claim, the claim has been partially invalidated by tool development, and the policy hasn't moved. The ceremony continues while the reasoning that generated it ages.
A system built to solve a specific problem in a specific environment will persist when the environment shifts, because change costs coordination and actors downstream plan their behavior around the system's timeline. The failure mode is slow drift toward theater.
The 90-day window is probably still better than nothing. That's a low bar for policy that sits between attackers and patched software.