Rapid7 — Modernizing Vulnerability Standards for the AI Era
AI relevance: Rapid7 argues at the White House that the entire vulnerability management stack — CVE identifiers, CVSS scoring, NVD, KEV, EPSS — was designed for human-speed discovery and is now structurally incapable of handling AI-accelerated vulnerability research, creating a prioritization crisis for defenders operating AI infrastructure.
What happened
- Rapid7 presented a policy paper titled "Modernizing Global Vulnerability Standards" during a private-sector White House consultation in June 2026.
- The paper argues that CVE submissions already grew 263% between 2020 and 2025 from human-speed growth alone. NIST acknowledged in April 2026 that the National Vulnerability Database can no longer keep pace and is shifting to risk-based triage.
- In April 2026, Anthropic, OpenAI, and Google DeepMind each announced production-grade AI systems capable of discovering, chaining, and remediating software vulnerabilities at machine speed.
- The Stanford HAI AI Index 2026 Cybench benchmark showed unguided AI agent solve rates on cybersecurity tasks rising from 15% to 93% in a single year — a six-fold increase that fundamentally changes the volume and velocity of vulnerability discovery.
- Rapid7 identifies the prioritization gap as the most urgent problem: traditional severity scores miss how attackers chain multiple lower-severity issues into serious compromises, and KEV remains retrospective by design because it depends on confirmed exploitation in the wild.
- EPSS (Exploit Prediction Scoring System) is trained on historical attacker behavior, which may not reflect what AI-assisted attackers can now do — making it structurally backward-looking for AI-era threat modeling.
- The Five Eyes cybersecurity agencies separately warned that AI is "rapidly transforming cyber risk by increasing the speed, scale, and sophistication of threats, lowering barriers for malicious actors."
- Proposed reforms include: recognizing verified AI-demonstrated exploitability, adding chaining-risk metadata to vulnerability records, and requiring reachability guidance alongside AI-discovered findings.
- The paper also calls for updates to the Vulnerabilities Equities Process, investment in CVE and NVD infrastructure, standardized capability disclosure from AI labs, and clear CISA leadership on AI-era vulnerability management.
Why it matters
For teams operating AI infrastructure — vLLM clusters, MCP servers, agent frameworks, model serving platforms — the vulnerability prioritization crisis hits hardest. These systems are relatively new, rapidly evolving, and often deployed with broad access to sensitive data and compute resources. When AI-driven discovery produces vulnerabilities faster than defenders can triage them, the gap between "known" and "exploitable" widens dangerously.
The paper's core insight is that abstract severity scores (CVSS) are insufficient when AI agents can discover chaining opportunities across multiple components. An AI operator needs to know not just how severe a single CVE is, but whether it can be combined with other reachable vulnerabilities in their specific deployment topology.
What to do
- Read the full paper — it's one of the most concrete policy proposals for AI-era vulnerability management from an operational security perspective.
- Audit your AI stack's vulnerability surface. Map which components (vLLM, Triton, Ray, MCP servers, agent frameworks) have known CVEs and whether they're reachable in your deployment.
- Move beyond CVSS-only prioritization. Incorporate reachability analysis and chaining-risk assessment for AI infrastructure components, especially those exposed to untrusted input.
- Monitor AI-specific CVE feeds. The GitHub Advisory Database and AI-specific trackers now cover LangChain, LiteLLM, vLLM, AutoGen, Mastra, and other AI framework vulnerabilities.
- Prepare for AI-discovered vulnerabilities in your own stack. If you're running AI-powered security scanners, establish clear workflows for handling the volume of findings they produce.