CISA asks AI firms to join CVE programme

The Cybersecurity and Infrastructure Security Agency wants artificial intelligence companies inside the system that names and tracks software flaws, not outside it. (infosecurity-magazine.com) Lindsey Cerkovnik, head of vulnerability management at the Cybersecurity and Infrastructure Security Agency, said at VulnCon that artificial intelligence vendors should play a bigger role in vulnerability disclosure. The remarks were reported on April 15, 2026. (infosecurity-magazine.com) The Common Vulnerabilities and Exposures program is the shared catalog used to give public names to security bugs. The program says its network now supports more than 326,000 records, and CISA said in September 2025 that it had grown to more than 460 CVE Numbering Authorities, or organizations allowed to assign identifiers. (cve.org) (cisa.gov) That matters because artificial intelligence products are moving from research demos into enterprise tools, coding assistants, and customer-facing systems. The CVE program said in July 2024 that it had already started working through which artificial-intelligence-related issues belong inside the CVE system and which do not. (cve.org) A CVE Numbering Authority works like an approved registrar: it can assign a CVE identifier and publish the first record for vulnerabilities in its scope. The official CVE rules say those authorities operate under program rules approved in May 2025. (cve.org) The hard part with artificial intelligence is scope. The CVE program’s 2024 guidance said a bad outcome or security impact is not automatically a CVE-style vulnerability, and used poisoned model uploads such as PoisonGPT as an example of an issue that may extend beyond the program’s traditional boundaries. (cve.org) CISA has already been trying to widen who shapes the program. In its September 10, 2025 vision document, the agency said it wanted better representation from academia, vulnerability tool providers, security researchers, operational technology groups, open-source communities, and international partners. (cisa.gov) The agency also said the program was moving from a “growth era” to a “quality era,” with more focus on trust, responsiveness, and data quality than on simply adding participants. Folding artificial intelligence vendors into that structure would put model makers under the same disclosure machinery used by software and infrastructure companies. (cisa.gov) The immediate question is whether large model developers become CVE Numbering Authorities themselves or work through existing authorities and researchers. CISA’s message at VulnCon was narrower than a mandate, but it pointed artificial intelligence companies toward the established playbook for reporting, naming, and fixing security flaws. (infosecurity-magazine.com)