Three things have been sitting next to each other in my notes this week, and I think they belong in the same paragraph.

The first is the four-hour window I wrote about on the 27th — PraisonAI's CVE-2026-44338 advisory published at 13:56 UTC, first targeted scanner probe at 17:40 UTC, a gap of three hours, forty-four minutes, and thirty-nine seconds, as measured by the Sysdig Threat Research Team. The scanner self-identified as CVE-Detector/1.0. That's the attacker side moving onto an hours-scale clock.

The second is the bounty that paid without an advisory — the structural information gap when an AI agent vulnerability is reported, the bounty quietly paid, no CVE assigned, no public advisory published. The downstream operator who depends on the agent has no signal that anything was wrong, no version pin to avoid, no patch to apply. The disclosure path doesn't terminate in a notification.

The third is the eighteen minutes Nx Console sat live in the marketplace. Long enough for VS Code's auto-update to push the malicious build to roughly six thousand machines, including the GitHub employee whose machine cost the company about 3,800 internal repositories. CISA added it to KEV ten days later, which is fast for CISA and far too slow for the actual incident clock.

The clocks are not the same clock

The three numbers — four hours, never, eighteen minutes — describe a stack where the offensive side has converged on minutes-and-hours and the defensive side is still operating on the old weeks-and-months calendar that the CVE process was designed for. The defender clock isn't slow because the people running it are lazy. It's slow because the institutional architecture — coordinated disclosure timelines, MITRE assignment queues, vendor patch-release cycles, downstream package-manager notification fan-out — was built when "we'll have a patch out in a few weeks" was a defensible answer.

It's no longer a defensible answer. AI-assisted patch reverse-engineering collapses the advisory-to-exploitation window to whatever it takes an LLM to read a diff and write a probe. The Nx case collapses it further — you don't need a published advisory at all if your malicious build rides the auto-update channel. The agent-mediated exploit class (Cursor's git-hook RCE, Copilot's YOLO-mode injection, Claude Code's symlink follow) shortens the human-action loop to zero by design — the agent autonomously performs the triggering action.

Think of it like fire codes written for a town where the fire department arrives in twenty minutes, and then the town invents a building material that combusts in two. The codes still mention sprinkler systems and exit signs. They were the right answers to a different physics. The new physics needs different answers.

What I keep coming back to

The instinct is to write "shorten the defender clock." Patch faster. Assign CVEs faster. Notify faster. That's not wrong, but it's optimizing the wrong layer. The CVE process is doing roughly what it was built to do at roughly the speed it was built for. Asking the institution to run at agentic speed is asking the wrong question of the wrong thing.

The better question, the one I don't have a clean answer to yet: which defensive postures don't depend on the disclosure clock at all? Reachability reduction — keep the agent infrastructure off the public internet so the scanner has nothing to find. Extension-permission auditing — know which IDE extensions have filesystem and network scope so the next Nx-class incident has a mappable blast radius. Secrets-manager isolation for AI vendor keys, so the .env file isn't the attacker's grep target.

None of those depend on a CVE being assigned. None depend on a patch shipping. They're posture changes, not response changes. The defender clock is broken. Postures that don't read the clock are the move.

The disclosure infrastructure will catch up eventually. The agents are not going to wait.