Patch Responsibility Debate Intensifies Amidst AI-Driven Vulnerability Discovery
As AI rapidly unearths and potentially fixes software flaws, the cybersecurity industry grapples with who bears the ultimate responsibility for patching and how to manage increasingly short exploit windows.
The rapid advancement of Artificial Intelligence (AI) models, exemplified by OpenAI's GPT5.5 and Anthropic's Claude Mythos, is fundamentally reshaping the cybersecurity landscape, particularly concerning vulnerability management and patching.
These sophisticated AI systems are demonstrating an unprecedented ability to autonomously discover and even fix software vulnerabilities at scale. This capability is dramatically compressing the traditional timelines for exploitation. Kevin Jones, Group CISO at Bayer, noted at Infosecurity Europe that vendors are now assessing the mean time to exploit a vulnerability to be mere hours, a stark contrast to the previous days or even weeks.
This accelerated threat environment has prompted drastic measures. India's Computer Emergency Response Team (CERT-In) has mandated patching actively exploited internet-facing vulnerabilities within 12 hours, critical flaws within a day, and high-severity bugs within five days. While seemingly decisive, experts like Andrey Lukashekov, head of revenue at Vulners, caution that such tight deadlines can become a "logistical nightmare" for large, global organizations due to time zone differences, complex approval chains, and change control processes.
Regulatory approaches to this challenge are diverging. The European Union's Cyber Resilience Act (CRA) adopts a producer-centric model, placing explicit obligations on software vendors for secure development, disclosure, and user notification. This aligns legal responsibility with the creators of the code, a sensible policy move according to Lukashekov, though it may not inherently shorten exploitation windows.
In contrast, Michael Price, VP of product engineering at VulnCheck, describes the US approach as more market-driven and user-centric. The US often prioritizes avoiding regulation to foster innovation, which can inadvertently shift the burden of patching, prioritization, and remediation onto end-users and operators, potentially leaving them to compensate for insecure defaults.
Lukashekov observes that the US model relies on a combination of market pressure, liability considerations, and voluntary standards, resulting in a "patchwork of expectations" where buyers demand fixes, insurers price risk, and vendors respond without a uniform cadence.
Price argues that there is no single correct answer, as regulation can elevate baseline security but also introduce costs. He advocates for a balanced approach in the US, acknowledging the need for more regulation to combat widespread insecurity without stifling innovation.
The differing strategies—India's speed-first mandate, the EU's producer accountability, and the US's market-driven ecosystem—create both opportunities and friction. Ultimately, policymakers must carefully consider which aspects of the vulnerability lifecycle to influence and ensure that producer obligations are aligned with defender capabilities, rather than imposing potentially unachievable timelines. The core challenge remains rewiring incentives so that producers, customers, and regulators collectively work towards minimizing exploitability windows.