🎯Basically, CISA wants AI companies to help find and report software vulnerabilities.
What Happened
At the recent VulnCon26 conference, Lindsey Cerkovnik, head of vulnerability management at CISA, emphasized the need for AI companies like OpenAI and Anthropic to play a more significant role in the Common Vulnerabilities and Exposures (CVE) program. Cerkovnik highlighted that the CVE program has seen a dramatic increase in reported vulnerabilities, and with the rise of AI tools, this trend is likely to continue.
Who's Affected
The call for AI companies to be more engaged in vulnerability disclosures impacts a wide range of stakeholders, including software developers, cybersecurity professionals, and organizations that rely on secure software. As AI tools become integral to vulnerability discovery, their involvement in the CVE program could enhance the overall security landscape.
What Data Was Exposed
Cerkovnik pointed out that AI models, such as Anthropic's Claude Mythos Preview, have already demonstrated capabilities in discovering zero-day vulnerabilities. This model reportedly found thousands of vulnerabilities and even chained several in the Linux kernel, which is critical for server operations worldwide. This highlights the potential for AI to uncover significant security flaws that may have otherwise gone unnoticed.
What You Should Do
Organizations should consider collaborating with AI firms to leverage their capabilities in vulnerability detection. Staying updated on the CVE program's developments and participating in forums like the CVE Consumer Working Group can also help in understanding the evolving landscape of vulnerabilities. Additionally, companies should prepare for an expected surge in CVE reports, with forecasts suggesting up to 70,135 new vulnerabilities by the end of 2026.
The Evolution of the CVE Program
Cerkovnik's remarks come as part of a broader strategy to diversify the CVE program, which now includes over 500 contributors and aims to increase the number of CVE Numbering Authorities (CNAs). This push for diversification is crucial as it seeks to incorporate various cybersecurity practitioners, including AI companies, into the vulnerability reporting process.
Future Outlook
CISA remains committed to funding the CVE program, viewing it as a top priority. As AI technologies continue to evolve, their integration into vulnerability management processes could lead to more efficient discovery and reporting of vulnerabilities, enhancing overall cybersecurity efforts.
🔒 Pro insight: Integrating AI companies into the CVE program could significantly enhance vulnerability discovery and reporting efficiency, addressing the rapid growth of software vulnerabilities.
