// #coordinated-disclosure

1 article

Pwn2Own's 90-day coordinated disclosure rule gives vendors time to patch before technical details are made public. For enterprise defenders, the same 90 days is a known timeline during which the confirmed existence of specific zero-days — but not their technical details — is public. Understanding how to use that window is an underexplored aspect of enterprise vulnerability management.

May 18, 2026 #vulnerability-management +5

Commentary tagged #coordinated-disclosure

Opinion

When Microsoft, SAP, Ivanti, and Palo Alto All Patch Critical Flaws on the Same Day, We Have a Coordination Problem

The week of 9 June 2026 delivered critical security patches from at least four major vendors on the same day, plus a Linux kernel PoC, plus a CISA KEV batch. The security community has created a coordination structure — Patch Tuesday — that has the opposite of its intended effect: it concentrates defender workload in a single week every month while giving attackers 30 predictable days to prepare.

CipherWatch Editorial

Security Intelligence Platform

Jun 12, 2026

Opinion

The 90-Day Patch Clock Is a Threat Actor Countdown Timer — We Should Use It That Way

Pwn2Own's 90-day coordinated disclosure window is designed to give vendors time to patch. But for enterprise defenders, it is also a confirmed, public notice that specific classes of zero-day vulnerability exist in named products. Most organisations wait for the patch to act. The ones that prepare during the 90-day window have a meaningful advantage.

CipherWatch Editorial

Security Intelligence Platform

May 18, 2026

The Pwn2Own 90-Day Clock: How Defenders Should Use the Patch Window Before Public Disclosure

Commentary tagged #coordinated-disclosure

When Microsoft, SAP, Ivanti, and Palo Alto All Patch Critical Flaws on the Same Day, We Have a Coordination Problem

The 90-Day Patch Clock Is a Threat Actor Countdown Timer — We Should Use It That Way