CybersecurityVulnerability Management

CISA Pushes AI Firms to Join Vulnerability Disclosure Efforts

Analyst 207||Source: InfoSecMag
A figure in shadows holds a cracked smartphone in front of a ominous laptop screen with a warning symbol and cityscape…

Who should decide when an AI system’s flaw is made public: the makers of the system, independent researchers, or a government agency? That question was posed, in effect, at VulnCon when Lindsey Cerkovnik, head of vulnerability management at CISA, said that AI companies should play a bigger role in vulnerability disclosures going forward.

What was said and where

At VulnCon, Lindsey Cerkovnik — identified in the event as the head of vulnerability management at CISA — urged a change in how vulnerabilities tied to artificial intelligence are handled. Cerkovnik said that AI companies should play a bigger role in vulnerability disclosures in the future. The comment was reported by CISA and covered in industry coverage of the conference.

Background implied by the remarks

The remark links two distinct elements: AI companies and vulnerability disclosure processes. Cerkovnik’s statement explicitly calls for a greater role for AI companies in disclosures, and it was framed in the context of vulnerability management at CISA. The comment also connects that call to the CVE program, as reported in the source headline.

Why this matters — multiple perspectives

  • Technologists: From a practitioner’s viewpoint, asking AI companies to take on a larger role in disclosures raises operational questions about coordination, timing and technical responsibility. If vendors lead disclosures, they may control when and how technical details reach researchers and the public.
  • Policymakers: For those shaping disclosure norms or programs referenced in the reporting, the suggestion implies a potential shift in who is expected to participate actively in disclosure workflows and governance frameworks.
  • Users: People and organizations relying on AI systems could see changes in how and when they learn about vulnerabilities. Greater vendor involvement might speed fixes in some cases, or it could delay public awareness in others — depending on how roles and rules are implemented.
  • Adversaries: Any change in disclosure practices also alters the information environment that malicious actors observe. The balance between rapid remediation and timely public notice will influence how adversaries respond.

Assessment and next steps

The single publicized statement from CISA’s Lindsey Cerkovnik at VulnCon signals an intent to rethink participation in disclosure processes, particularly as they relate to AI. How that intent becomes policy, norms, or operational practice was not detailed in the report. The statement opens several implementation questions that stakeholders will need to address: what roles AI companies would undertake, how coordination with existing disclosure mechanisms would work, and what safeguards would govern timing and transparency.

Those questions will determine whether the call for a bigger role by AI companies results in faster remediation, clearer accountability, or new tensions between vendors, researchers and disclosure programs like the CVE program referenced in coverage of the remarks.

As Cerkovnik put it at VulnCon, AI companies should play a bigger role in vulnerability disclosures in the future — but how that future unfolds remains to be seen. Will a push for greater vendor responsibility strengthen the system, or will it complicate the public’s right to timely information?

https://www.infosecurity-magazine.com/news/ai-companies-to-play-bigger-role/

Ai SecurityArtificial IntelligenceCisaEmerging ThreatsNation-StateResponsible DisclosureVulnerability DisclosureVulnerability ManagementGovernment Regulations
Related Intelligence

Continue Reading

A minimalist workspace with a computer displaying a blank webpage.

Brave Launches Paid Browser Stripping Monetization Features

Meet Brave Origin, a paid browser that strips away unnecessary features for a streamlined, private browsing experience. This minimalist edition is perfect for users who want Brave's renowned privacy without the extra integrations.

Analyst 207
Rack of servers with one server highlighted, its indicators glowing neutrally.

Codex Agent Uncovers Lethal HTTP/2 DoS Exploit

A home computer on a typical 100Mbps connection can cripple a vulnerable server in mere seconds with the HTTP/2 Bomb, a potent DoS exploit that combines two decade-old attack techniques. This devastating attack exhausts server memory by sending tiny, compressed HTTP/2 header fragments and holding connections open, taking the service offline.

Analyst 207
WordPress site backend on laptop with Everest Forms Pro plugin visible.

Everest Forms Pro Flaw Exploited for Remote Code Execution

A critical flaw in the Everest Forms Pro WordPress plugin, CVE-2026-3300, has been exploited over 29,300 times, allowing attackers to execute remote code on vulnerable sites. This vulnerability was caused by a simple calculation feature that was not properly sanitized, leaving sites open to unauthenticated attacks.

Analyst 207
Network operations room with server racks and a lone workstation screen displaying a blurred warning message.

Cisco Fixes Unified CM Flaw as Exploit Code Goes Public

Cisco has patched a critical vulnerability in its Unified Communications Manager, known as CVE-2026-20230, which could allow hackers to write arbitrary files to the server's operating system and potentially escalate privileges to root. With proof-of-concept exploit code now public, the threat level has significantly increased.

Analyst 207