Industry shifts away from 90-day vulnerability disclosure standard
Security researchers question effectiveness of long-standing protocol for reporting software flaws to vendors.
ℹ️ Nettleserstemme · KI-studiostemme kommer snart
The technology industry is moving away from the 90-day vulnerability disclosure policy, a standard practice for reporting software security flaws to vendors before public release, according to discussion on Hacker News.
The 90-day window—established decades ago—has historically allowed companies time to develop patches while giving researchers a deadline to prevent indefinite delays. However, critics argue the timeframe no longer reflects modern software development cycles or threat landscapes.
European cybersecurity officials and enterprises monitor disclosure practices closely, as they affect incident response capabilities across the EU's expanding digital infrastructure. The shift signals potential changes to coordinated vulnerability management frameworks that organizations rely on for security planning.
No official regulatory body has announced policy changes, but the debate reflects growing pressure on disclosure standards. EU member states continue developing cybersecurity strategies that depend on predictable vulnerability reporting timelines. Industry consensus on revised disclosure protocols remains unclear.