CISA pushes AI vendor disclosures
CISA's head of vulnerability management said AI companies should play a larger role in vulnerability disclosure programs, signalling a move to treat AI vendors more like infrastructure suppliers (infosecurity-magazine.com). Lindsey Cerkovnik’s comments suggest expectations for formal participation by AI firms in CVE processes may increase (infosecurity-magazine.com).
The Cybersecurity and Infrastructure Security Agency is pressing artificial intelligence companies to take a bigger role in the system that names and tracks software flaws. (infosecurity-magazine.com) Lindsey Cerkovnik, chief of the Vulnerability Response and Coordination Branch at the agency, said on April 14 at VulnCon 2026 in Scottsdale, Arizona, that artificial intelligence companies “should be better represented” in the Common Vulnerabilities and Exposures program. The program is run by MITRE and sponsored by the agency. (infosecurity-magazine.com, cve.org) The Common Vulnerabilities and Exposures program is the shared naming system for publicly known security bugs, so defenders, vendors, and governments can talk about the same flaw using one identifier. The agency also uses those identifiers in its Known Exploited Vulnerabilities catalog, which listed 1,566 entries when accessed on April 16. (cve.org, cisa.gov) The push comes as the Common Vulnerabilities and Exposures program is already handling faster growth in reports. Cerkovnik said new artificial intelligence tools are helping find valid bugs and also surfacing lower-value reports, putting the program at what she called “a turning point.” (infosecurity-magazine.com) The Common Vulnerabilities and Exposures board has been working on this problem since at least July 2024, when it published a blog series on how to handle artificial intelligence-related vulnerabilities. That work drew a line between software flaws that fit the program and broader artificial intelligence safety or model-behavior problems that may not qualify for a Common Vulnerabilities and Exposures identifier. (cve.org) That distinction matters because many artificial intelligence failures do not look like classic software bugs. The board said in 2024 that a harmful output or bad security outcome does not automatically mean a vulnerability qualifies for a Common Vulnerabilities and Exposures identifier. (cve.org) The pressure is rising as artificial intelligence tools move deeper into security work itself. Infosecurity Magazine reported that Anthropic recently launched Claude Mythos Preview for 40 members of Project Glasswing, and OpenAI launched GPT-5.4-Cyber on April 14 for members of its Trusted Access for Cyber Defense program. (infosecurity-magazine.com) Artificial intelligence software is also showing up in the vulnerability pipeline as a target, not just a tool. The agency’s March 26 warning on Langflow, a framework for building artificial intelligence agents, said attackers were actively exploiting CVE-2026-33017, a critical code-injection flaw. (bleepingcomputer.com) Cerkovnik did not announce a formal rule change on April 14. But the message from the agency’s vulnerability office was that artificial intelligence vendors are being discussed less like a separate category and more like suppliers expected to participate in the disclosure machinery used across the rest of software. (infosecurity-magazine.com, cve.org)
