AI companies like OpenAI and Anthropic should play a bigger role in software vulnerability disclosures in the future, according to a leader of the world’s largest vulnerability disclosure scheme.
Speaking at the opening of VulnCon26 in Scottsdale, Arizona, on April 14, Lindsey Cerkovnik said AI companies “should be better represented” in the Common Vulnerabilities and Exposures (CVE) program.
As chief of the Vulnerability Response & Coordination (VRC) Branch at the US Cybersecurity and Infrastructure Security Agency (CISA), sole sponsor of the MITRE-run CVE program, Cerkovnik and her team manage coordinated vulnerabilities disclosures for the CVE program.
She acknowledged that the program has faced a rapid growth of reported vulnerabilities over the past year and that the evolution of AI platforms will likely accelerate that growth.
“With the arrival of new AI tools, some helping discover valid vulnerabilities, others perhaps finding things with less value, we’re at a turning point,” Cerkovnik said.
Anthropic, OpenAI Speed Up on AI-Powered Vulnerability Research
Cerkovnik’s VulnCon speech came just a few days after the launch of Claude Mythos Preview, Anthropic’s new large language model (LLM) that promises to autonomously find and fix cybersecurity vulnerabilities at scale.
Today, Mythos is only available to the 40 members of Project Glasswing.
In testing, the model allegedly discovered thousands of zero-day vulnerabilities which had not previously been identified.
The model also autonomously found and chained several vulnerabilities in the Linux kernel, software used to run most of the world’s servers, which would allow an attacker to escalate from ordinary user access to complete control of a machine
Upon testing Mythos Preview in a simulation environment, researchers at the UK’s AI Security Institute (AISI) said they “cannot say for sure” whether Mythos Preview would be able to successfully attack “well-defended systems.”
On April 14, OpenAI launched GPT-5.4-Cyber, a version of GPT-5.4 fine-tuned for cybersecurity use cases and only available to members of its “Trusted Access for Cyber Defense” program.
50,000 to 70,000 Expected CVEs in 2026
Notably, the speed of vulnerability disclosures was already accelerating long before the launch of Mythos and OpenAI’s GPT-5.4-Cyber.
The CVE program counts 327,000 unique CVE records to date. Of those , Jerry Gamblin, principal engineer at Cisco Threat Detection & Response, observed 18,247 were reported in 2026, a 27.9% growth from the same period in 2025.
Additionally, Gamblin calculated average of 174 CVEs reported daily this year, compared to 132 in 2025.
In February 2026, the Forum of Incident Response and Security Teams (FIRST), which co-hosts VulnCon with the CVE program, forecast a record-breaking 50,000 additional CVEs to be reported in 2026.
Gamblin expects an even bigger growth, with a forecast of 70,135 CVEs by the end of this year. This would reflect a 45.6% growth rate compared to 48,171 in 2025.
AI Companies Could Become Official Vulnerability Reporters
Cerkovnik’s call for closer integration of AI companies into the CVE program aligns with the program’s broader diversification strategy.
This strategy was illustrated by the launch of two new forums in July 2025, the CVE Consumer Working Group (CWG) and the CVE Researcher Working Group (RWG).
One of the main objectives is to grow the number of CVE Numbering Authorities (CNAs), organizations that are allowed to publicly disclose a vulnerability and attributed it a CVE identifier.
At the end of March 2026, the CVE program announced it had reached over 500 contributors, with 502 CNAs now registered.
Diversification of the CVE program also means internationalization of the program, with more European-based CNAs to be vetted in the future, commented Nuno Rodrigues Carvalho, head of sector for Incidents and Vulnerability Services at the European Cybersecurity Agency (ENISA).
Speaking to Infosecurity, his colleague, Johannes Kaspar Clos, a responsible disclosure expert at ENISA, said he would welcome AI companies to also become CNAs.
“We need to include a diverse crowd of cybersecurity practitioners, from product and nationals computer emergency response teams (CERTs) and computer security incident response teams (CSIRTs) to researchers and vulnerability finders. Anthropic is one example of a company who identified vulnerabilities and therefore, is of course rightfully mentioned in being a potential CNA,” Clos said.
While he welcomed the launch of Claude Mythos and other AI-powered tools allowing researchers to find more vulnerabilities, Clos added said he would have preferred the capabilities of such models’ capabilities to be disclosed “before the products are pushed to the market.”
“Security testing should be implemented before users are put at risk,” he added.
CVE Program: A “Top Priority” for CISA
Finally, Cerkovnik said the CVE program is “a top priority” for CISA and its parent administration, the US Department of Homeland Security (DHS) and that the security agency will continue funding the program in the future.
Read now: CISA Launches Roadmap for the CVE Program
While she declined to provide any specifics, she said, “Contracts and funding for the CVE program are secure. Funding has never been an issue.”
However, she highlighted that DHS was still technically in a shutdown situation and that it currently complicates decision-making at CISA, including around spending for outreach opportunities like her coming to VulnCon.
Image credits: Koshiro K / gguy /Shutterstock.com
