Google has published exploit code for a Chromium vulnerability before most users have patched, potentially exposing millions to attacks. The move raises important questions about responsible disclosure timelines and whether rapid publication does more harm than good.

Ars Technica reports that Google released working exploit code for a recently disclosed Chromium security flaw, following their standard disclosure timeline. The problem: patch adoption rates for browsers are notoriously slow, and millions of users are still running vulnerable versions.

Google's philosophy on vulnerability disclosure is aggressive: publish fast, pressure users to update, and don't give attackers the luxury of time. The theory is that rapid disclosure forces everyone - users, vendors, and enterprises - to take patching seriously. Sitting on vulnerabilities for months while everyone slowly updates just delays the inevitable.

That theory works great when users actually update. But browser update rates, particularly for Chromium-based browsers that aren't Chrome itself (Edge, Brave, Opera, etc.), are slower than you'd think. Enterprises are even worse - many companies test updates extensively before rolling them out, meaning they can be running months-old browser versions.

So here's the dilemma: Google publishes exploit code to force urgency around patching. But in the window between publication and widespread patching, criminals have a working exploit handed to them. Google's pushing for faster patch cycles, which is noble. But what happens when users don't update and criminals get working exploits?

The answer is: exactly what you'd expect. Exploit code gets weaponized, attacks spike, and users who didn't update (often through no fault of their own - enterprise IT policies, automatic updates disabled, etc.) get compromised.

Security researchers are divided on this approach. Some argue that transparency and rapid disclosure are always better than security through obscurity. Others point out that responsible disclosure should account for real-world patch adoption rates, not idealized timelines.

What's clear is that Google's approach assumes a level of patch discipline that doesn't exist in practice. Automatic updates work for consumer Chrome users. They don't work for enterprises, embedded systems, or users of Chromium-based browsers with slower update cycles.

The broader issue here is that we're still figuring out how to handle vulnerability disclosure in an era where software is everywhere, patching is inconsistent, and exploit code spreads instantly. Google's model optimizes for transparency and pressure. But that comes at the cost of arming attackers before defenses are widespread.

For users, the message is clear: enable automatic updates, actually install them when prompted, and understand that the window between disclosure and weaponization is measured in days, not weeks. Google's disclosure policy isn't changing. Which means you need to patch faster, or accept the risk.