AI Uncovers Widespread Flaws, Patch Responsibility Unclear

Two of the most advanced AI labs, OpenAI and Anthropic, are now granting broader access to their latest large language models,Claude Mythos and GPT5.5,which have demonstrated the ability to autonomously discover and patch security vulnerabilities at scale. This development is reshaping how organizations approach flaw remediation.

The patching lifecycle is expected to accelerate significantly across many enterprises. Kevin Jones, Group CISO at Bayer, shared insights at Infosecurity Europe after speaking with IT vendors, including cloud hyperscalers. He noted that the average time for attackers to exploit a vulnerability has collapsed from days to just hours.

“In the past, when a patch was released with no known public exploit, organizations had a seven to ten day window to deploy it on isolated systems, test it, and roll it out to internet-facing infrastructure,” Jones explained. “That window allowed time for attackers to reverse engineer the patch, identify vulnerabilities, write exploits, and scale their attacks.”

Now, vendors report that threat actors can go from patch release to active exploitation in as little as six hours and 40 minutes, even when no exploit was previously known.

India Mandates 12-Hour Patch Deadlines

In response to this shrinking timeline, India’s Computer Emergency Response Team (CERT-In) has imposed aggressive new requirements: actively exploited internet-facing vulnerabilities must be patched within 12 hours, critical flaws within one day, and high-severity bugs within five days.

Andrey Lukashekov, head of revenue at Vulners, told Infosecurity that such a mandate “sounds decisive.” However, he cautioned that for large, global organizations, these tight deadlines clash with time zones, approval chains, and change controls. What seems like a firm directive can become “a logistical nightmare,” potentially hindering safe remediation rather than helping it.

Lukashenkov argued that while such rules push pressure onto vendors for rapid patch delivery, they risk encouraging hasty fixes or breaking established change processes when coordination is impractical.

EU vs. US: Divergent Patching Policy Approaches

Lukashenkov contrasted India’s approach with the EU’s Cyber Resilience Act (CRA) , which he described as more explicitly producer-centric. The CRA “leans on vendors to own product security,” imposing obligations for secure development, disclosure, and user notification.

He called this approach sensible from a policy perspective because it aligns legal responsibility with those who build the code. Still, he warned that compliance does not automatically shorten exploitation windows. “Regulation can move the needle on accountability, but it won’t replace sound architecture and resilient operations,” he said.

Michael Price, VP of product engineering at VulnCheck, offered a different perspective. He contrasted the EU’s vendor-focused stance with the more market-driven, user-centric model prevalent in the United States.

Price noted that Europe “is trying to force responsibility upstream,” placing legal and technical obligations on software producers to design and deliver more secure products. This shifts cost and accountability toward vendors, potentially driving systemic improvements,though it may slow innovation.

In the US, by contrast, the burden often falls on users and operators to defend themselves. “There’s an emphasis on avoiding regulation because regulators can slow down growth,” Price explained. As a result, many companies prioritize time-to-market over security, leaving downstream customers to handle patching, prioritization, and compensating for insecure defaults.

Lukashenkov agreed, observing that US practice relies on a mix of market pressure, liability considerations, and voluntary standards rather than a single, prescriptive timeline. “In the US, you get a patchwork of expectations,” he said. “Buyers demand fixes, insurers price risk, and vendors respond. There’s no one-size-fits-all solution.”