In a significant address at VulnCon26 in Scottsdale, Arizona, on April 14, Lindsey Cerkovnik, a leading figure in the arena of cybersecurity, emphasized the necessity for AI companies, like OpenAI and Anthropic, to take on a more pivotal role in software vulnerability disclosures in the future. As the chief of the Vulnerability Response & Coordination (VRC) Branch at the US Cybersecurity and Infrastructure Security Agency (CISA), Cerkovnik is at the forefront of managing the Common Vulnerabilities and Exposures (CVE) program, which is overseen by MITRE. During her speech, she asserted that AI companies “should be better represented” within the CVE framework, reflecting a need for evolution in how vulnerabilities are reported and addressed in an increasingly digital landscape.
Cerkovnik’s remarks came at a time of remarkable growth within the realm of reported vulnerabilities; she noted that the evolution of AI platforms is likely to accelerate this trend. In her speech, she pointed out the arrival of new AI tools that serve dual purposes: one set designed to discover genuine vulnerabilities, while another may uncover issues of less significance. Cerkovnik coined this moment as a “turning point” for the cybersecurity industry, recognizing the need for organizations to adapt their strategies in light of the advancements in technology.
Just days before Cerkovnik’s address, Anthropic introduced Claude Mythos Preview, a new large language model (LLM) that is aimed at autonomously identifying and rectifying cybersecurity vulnerabilities at scale. Currently, access to Mythos is restricted to the 40 members of Project Glasswing, its exclusive initiative. Reports indicate that during testing, Mythos uncovered thousands of previously unidentified zero-day vulnerabilities, raising important questions about the state of cybersecurity within critical infrastructures.
Further emphasizing the significance of Mythos, the model was able to autonomously identify and exploit several vulnerabilities within the Linux kernel, a software integral to the operation of most global servers. This finding has implications for cybersecurity professionals, as the ability to escalate user access could potentially allow attackers to gain complete control over systems. However, researchers from the UK’s AI Security Institute (AISI) have expressed caution, noting that they “cannot say for sure” if the capabilities of Mythos Preview would be effective against systems fortified with robust defenses.
On the same day, OpenAI launched GPT-5.4-Cyber, a refined version of its AI model tailored specifically for cybersecurity applications. This model is also available solely to members of a dedicated program aimed at enhancing cyber defense efforts. The rapid developments from both companies underscore a growing trend within the AI sector to directly contribute to the identification and remediation of software vulnerabilities.
The urgency of these advancements is underscored by statistical projections for the CVE program, which predicts a record number of reported vulnerabilities. In 2026 alone, the program anticipates being inundated with anywhere between 50,000 and 70,000 new CVEs, marking an explosion of reported issues from the previous year. Cerkovnik’s insights highlighted that this exponential growth necessitates not only innovative tools for vulnerability identification but also a broadening of the community contributing to the CVE program.
Historically, the CVE program has evolved to encompass a more diverse range of contributors and approaches. Cerkovnik’s appeal for the inclusion of AI companies aligns with a broader strategy to diversify the program’s participant base. This strategy was further exemplified by the creation of two new forums in July 2025: the CVE Consumer Working Group (CWG) and the CVE Researcher Working Group (RWG), designed to amplify collaboration and broaden the pool of entities capable of contributing to the vulnerability reporting process.
As of late March 2026, the CVE program had successfully expanded its network, reaching over 500 contributors with 502 organizations now officially recognized as CVE Numbering Authorities (CNAs). This diversification is not merely numerical; it aims to encapsulate a wide array of cybersecurity practitioners, from national computer emergency response teams (CERTs) to researchers, fostering a more comprehensive approach to vulnerability management.
In conversations surrounding this initiative, Nuno Rodrigues Carvalho, the head of sector for Incidents and Vulnerability Services at the European Cybersecurity Agency (ENISA), expressed a need for an international perspective. He emphasized that the integration of AI companies into the CNA consideration could enhance these efforts, and his colleague Johannes Kaspar Clos echoed this sentiment, advocating for the inclusion of diverse cybersecurity stakeholders in the vulnerability discourse.
Ultimately, Cerkovnik reaffirmed that the CVE program remains a “top priority” for CISA as well as the US Department of Homeland Security (DHS). She reassured stakeholders that the necessary funding for the program is secure, despite current operational challenges posed by a partial shutdown within the DHS, which complicates decision-making processes. This acknowledgment illustrates the ongoing commitment to enhancing cybersecurity frameworks and ensuring that vulnerability disclosures evolve alongside technological advancements.
As the landscape of cybersecurity continues to transform, Cerkovnik’s call for the engagement of AI companies represents a pivotal shift towards a more inclusive and proactive approach to vulnerability management, fostering a collaborative environment aimed at fortifying the digital realm against emerging threats.