CISA Calls for AI Companies to Join CVE Program as CNAs

AI relevance: As autonomous AI models discover thousands of vulnerabilities at machine speed, the CVE disclosure infrastructure must adapt to handle AI-found bugs — directly affecting how security teams triage, report, and patch vulnerabilities uncovered by AI systems.

What happened

• Speaking at VulnCon26 on April 14, Lindsey Cerkovnik, chief of CISA's Vulnerability Response & Coordination Branch, said AI companies "should be better represented" in the CVE program, urging them to become official CVE Numbering Authorities (CNAs).
• The call follows the launch of Claude Mythos Preview, Anthropic's LLM designed to autonomously find and fix vulnerabilities at scale. In testing, Mythos reportedly discovered thousands of previously unknown zero-days and chained multiple Linux kernel vulnerabilities for full privilege escalation.
• OpenAI simultaneously launched GPT-5.4-Cyber on April 14, a model fine-tuned for cybersecurity use cases, available to members of its Trusted Access for Cyber Defense program.
• CVE volume is already surging: 18,247 CVEs reported through early 2026 (up 27.9% year-over-year), averaging 174 per day. FIRST forecasts 50,000+ CVEs for 2026; analyst Jerry Gamblin projects 70,135.
• The CVE program now has 502 registered CNAs. ENISA's Johannes Kaspar Clos told Infosecurity that Anthropic "is of course rightfully mentioned" as a potential CNA given its vulnerability identification work.
• The CVE program's diversification strategy includes two new working groups (Consumer and Researcher) launched in July 2025, with plans to onboard more European-based CNAs.

Why it matters

The combination of AI models autonomously discovering vulnerabilities and the CVE program struggling with volume creates a structural problem. If AI companies become CNAs, they could directly assign CVE IDs to model-discovered flaws — but this also raises questions about quality control, duplicate reporting, and the incentive structure for AI-assisted vulnerability research. For organizations running AI security tooling, understanding how model-found vulnerabilities flow into the CVE ecosystem is critical for patch prioritization.

What to do

• Track whether Anthropic, OpenAI, or other AI labs apply for CNA status — this will change how AI-discovered vulnerabilities are reported and disclosed.
• If you run AI-assisted vulnerability scanning, establish internal triage processes for model-found bugs before they hit public CVE databases.
• Monitor the CVE Consumer and Researcher working groups for policy changes that affect AI company participation.

Sources:

• Infosecurity Magazine — AI Companies to Play Bigger Role in CVE Program
• Infosecurity Magazine — Anthropic Launches Project Glasswing
• CVE Stats Dashboard (Jerry Gamblin)
• Infosecurity — UK AISI Assessment of Claude Mythos