Feb 7, 2026

Link: https://spaceraccoon.dev/discovering-negative-days-llm-workflows/

Time-to-Exploit is Negative 

By now, you’ve probably read Anthropic’s zero-days blogpost where an “out-of-the-box” Claude Opus 4.6 workflow was used to find 500 vulnerabilities in open-source projects. While I think this is a logical application of LLMs (see my keynote at the recent Association for the Advancement of Artificial Intelligence workshop on Artificial Intelligence for Cyber Security), it was this paragraph in the blogpost that interested me the most:

At the same time, existing disclosure norms will need to evolve. Industry-standard 90-day windows may not hold up against the speed and volume of LLM-discovered bugs, and the industry will need workflows that can keep pace.

This had been a problem that had been bothering me for a while. Open-source projects are inundated with LLM-generated reports precisely because of how accessible they are to scanners, and it’s trivial to run a decent code-oriented model on them. That aside, the open-source security disclosure process is uneven and may not be fully equipped to deal with the flood of reports – both valid and invalid ones.

However, there’s a far more logical outcome that’s already well underway – the sharp drop in time to exploit CVEs into the negatives (as per Mandiant’s latest reports), thanks to the increase in zero-days and speed of reverse-engineering n-days from the moment a CVE is published. For open-source projects, the risk is even greater because security patches are public.