Zero days, zero order: The chaos reshaping vulnerability disclosure

The rules of responsible disclosure were written for a different era — one where humans found bugs, humans reported them, and 90 days felt like plenty of time to patch. That era is over.

In this episode, Greg sits down with Gal Elbaz, co-founder and CTO of Oligo Security, to unpack how AI-assisted vulnerability research is breaking the frameworks the security industry has relied on for decades. From MITRE admitting it can no longer keep up with the volume of CVE reports, to Linus Torvalds saying the same about the Linux kernel, the cracks in the system are impossible to ignore.

Gal draws on his years as a hands-on researcher at Check Point — and his current work leading Oligo’s research team — to offer perspective from both sides of the disclosure table. He and Greg dig into the Microsoft controversy, the tension between researcher leverage and community responsibility, and why the Spider-Man rule applies more than ever to the security research community right now.

They also tackle the big questions: Should disclosure timelines be based on exploitability rather than a fixed number of days? Who owns the decision to accelerate a disclosure? And is it time to throw out CVSS scores and build something new?

Gal’s bottom line: the noise needs to be cut, the critical bugs need better definition, and both vendors and researchers need to get back to the table — as humans.

For our reporter chat, Greg talked with Derek Johnson about the reaction to the Trump administration’s fight with Anthropic.