White Paper | 2026-03-27 | Status: draft
CNA Operations Manual for Agentic AI Vulnerabilities
Executive Summary
The vulnerability management infrastructure that underpins modern cybersecurity—the CVE program for identifiers, the Common Weakness Enumeration for taxonomic classification, and CVSS for severity scoring—was architected for a world of deterministic software. A buffer overflow in a network daemon, a SQL injection in a web application, an authentication bypass in an identity provider: these are reproducible, code-grounded defects that fit cleanly into three decades of evolved practice. CVE assigns an identifier. CWE maps the weakness class. CVSS scores the severity. NVD publishes the record. A patch ships. The cycle completes.
Autonomous AI agents break this cycle at every stage. An agent’s harmful behavior may derive not from a flaw in its code but from the corruption of its goal representation through natural language. Its exploitation may be probabilistic rather than deterministic, manifesting in some percentage of attempts under contextual conditions that resist controlled laboratory reproduction. The severity of an agentic vulnerability cannot be captured by a CVSS vector designed for software components, because that vector has no metric for an agent’s authorization footprint, its access to persistent memory that survives the attack session, or the cascading blast radius of a compromised orchestrator in a multi-agent pipeline. And no single existing CVE Numbering Authority holds a scope definition that encompasses agentic vulnerabilities as a class — meaning that today’s agentic CVEs are assigned by whichever CNA the discovering researcher happens to have a relationship with, without domain-consistent taxonomy, without cross-referencing to agent-specific weakness categories, and without the structural knowledge to distinguish an architecturally significant agentic failure from a trivially patched input validation bug.
The CSAI Foundation was launched on March 23, 2026 as a 501(c)3 non-profit with a founding mission of securing the agentic control plane [1]. As part of its founding program portfolio, CSAI established a CVE Numbering Authority scoped specifically to agentic AI vulnerabilities. This manual defines how that CNA operates.
The manual covers eight operational domains. The scope definition establishes the three-part conjunctive test that determines whether a reported vulnerability falls within CSAI CNA authority, and defines coordination boundaries with adjacent CNAs. The intake and triage section describes submission channels, the triage decision framework, timelines, and researcher communication standards. The severity assessment section specifies a CVSS v4.0 application methodology augmented with agentic-specific supplemental metrics that capture the failure modes CVSS v4.0’s base metrics do not address. The CVE ID assignment section documents the mechanics of ID reservation, duplicate handling, and coordinated disclosure timelines. The publication section specifies CVE record format requirements, advisory publication procedures, NVD submission, and embargo management. The dispute resolution section establishes a three-tier process aligned with MITRE’s program requirements. The ecosystem integration section defines coordination protocols with MITRE, adjacent CNAs, and sector ISACs. The staffing and tooling section establishes minimum operational requirements and performance targets.
Taken together, these procedures constitute the complete operational specification for CSAI CNA operations from the day of first intake submission through the full lifecycle of every record within scope.
1. Introduction: Why CSAI Should Operate as a CNA
The CVE program has served as the common language for cybersecurity vulnerability identification since 1999, when MITRE first established a unified numbering scheme to replace the fragmented, vendor-specific vulnerability identifier systems that had made cross-tool correlation impractical [2]. Today the program encompasses more than 380 CVE Numbering Authorities worldwide, spanning major software vendors, security research firms, government agencies, bug bounty platforms, and sector-specific authorities [3]. Each CNA operates within a defined scope, assigning CVE identifiers to eligible vulnerabilities in their domain and publishing the corresponding CVE records to the program’s public infrastructure. The hierarchy of Root CNAs, including CISA’s ICS Root CNA for industrial control systems and government-affiliated Root CNAs for specific national jurisdictions, provides oversight and a catch-all assignment function for vulnerabilities that fall outside any direct CNA’s scope [4].
The current CNA landscape has no organization holding a scope definition that covers agentic AI vulnerabilities as a class. This gap is not the result of oversight — it is a structural consequence of the gap between the timeline of agentic AI deployment reaching production scale (accelerating through 2025 and reaching mainstream enterprise adoption in early 2026) and the pace at which the CVE program’s CNA ecosystem evolves to cover new technology domains. The consequence is observable in the CVE catalog. The Model Context Protocol accumulated more than thirty CVE filings in the sixty days between January and March 2026, filed across multiple CNAs with no consistent taxonomy and no shared framework mapping [5]. The OpenClaw agentic framework produced four CVEs in two months, each assigned by a different research organization, with no cross-referencing to the common architectural root cause that connected all four [6]. Researchers submitting agentic vulnerability reports regularly encounter CNA assignment confusion when their finding does not clearly belong to any vendor’s product CNA, does not meet the scope criteria of any existing security research CNA, and involves behavioral properties that existing CVE record fields cannot accurately represent.
The CSAI Foundation is positioned to fill this gap for several compounding reasons. It is an independent, non-profit organization with no commercial stake in any agentic AI product, giving it the neutrality required to operate a domain CNA that serves the community rather than any vendor’s disclosure interests. It has organizational continuity with the CSA AI Controls Matrix, the MAESTRO agentic threat modeling framework, and the broader CSA research output on agentic risk — the domain knowledge required to evaluate whether a reported behavior constitutes a vulnerability, how to classify it within the evolving agentic weakness taxonomy, and what technical detail practitioners need to assess applicability to their deployments [7][8]. It has established relationships with the research community producing agentic disclosures and the vendor community producing agentic products, the two populations whose cooperation is essential to a functioning domain CNA. And it has a defined mandate from its founding charter to operate a CVE Numbering Authority as a core program function, ensuring organizational commitment to the resource investment that CNA operations require.
Establishing this CNA is not merely administratively useful — it is a prerequisite for the kind of structured, longitudinal vulnerability tracking that the agentic AI security field needs to mature. Without consistent taxonomy, the industry cannot identify the architectural patterns that produce clusters of agentic vulnerabilities. Without cross-referencing to weakness categories and threat framework mappings, organizations cannot do programmatic root-cause analysis across their agentic deployments. Without a domain CNA with technical authority in agentic AI, the CVE records for the most consequential new vulnerability class of the decade will remain a scattered, inconsistent corpus from which few systematic lessons can be drawn.
2. CNA Scope Definition
Defining the CSAI CNA’s scope with precision is the foundational operational decision that determines every subsequent workflow. A scope that is too broad creates conflicts with adjacent CNAs and overwhelms a small specialized team with disclosures that existing CNAs already handle well. A scope that is too narrow fails to cover the distinct vulnerabilities the CSAI CNA was established to address, leaving the gap it was created to fill partially open. The scope definition below reflects both the structural requirements of the CVE program’s CNA framework and the specific properties of agentic AI vulnerability classes that existing CNAs are not well-positioned to evaluate.
2.1 In-Scope Vulnerability Criteria
A vulnerability falls within CSAI CNA scope when it satisfies all three of the following criteria applied conjunctively.
The first criterion is that the affected system must be an autonomous or semi-autonomous AI agent. For the purposes of this scope definition, an agentic AI system is one that perceives its environment through structured or natural-language inputs, makes decisions through a reasoning process (including LLM inference), and takes actions toward a defined goal without requiring human instruction for each individual action. This definition encompasses LLM-based agents with tool access; multi-agent orchestration frameworks and the individual agents they coordinate; agentic runtimes providing the infrastructure on which agents execute; and the communication protocols and infrastructure designed specifically for agent-to-agent or agent-to-tool interaction, including the Model Context Protocol, the emerging Agent-to-Agent protocol, and their successors. Systems that use AI components in a purely advisory or display function — a dashboard that presents AI-generated summaries to a human decision-maker — are not agentic systems for this purpose, because they do not take autonomous action.
The second criterion is that the vulnerability must arise from agent-specific properties. These properties include goal representation and its susceptibility to corruption through natural language; persistent memory systems and their exposure to poisoning or unauthorized modification; delegation mechanisms used to pass task authority between agents in a hierarchy; trust boundary handling in inter-agent communication; and the amplified blast radius that attaches to classical software weaknesses when those weaknesses are present in systems that operate with broad tool access and autonomous action authority. The distinction this criterion draws is between a classical software vulnerability that happens to exist in an agentic system’s codebase and a vulnerability whose severity, exploitability, or consequence is materially shaped by the agentic properties of the affected system. A heap overflow in an agent runtime’s memory allocator is a classical memory safety vulnerability best handled by the runtime vendor’s existing CNA. The same heap overflow exploited through a goal injection attack that manipulates the agent’s reasoning to trigger specific memory operations represents a convergence of a classical flaw and an agentic exploitation pathway that the CSAI CNA should evaluate jointly with the vendor’s CNA.
The third criterion is that the vulnerability must be eligible for CVE assignment under the CVE program’s current rules: it must be independently fixable, affect at least one product with an installed user base, and be capable of public disclosure as a security advisory [9].
2.2 Out-of-Scope Categories
Several categories of AI-related security issues are explicitly outside CSAI CNA scope. Foundational model vulnerabilities — jailbreaks, adversarial examples, model inversion, training data extraction, and similar attacks that target the model’s learned behavior absent any agentic architecture — are excluded unless they are directly enabled by or directly enable agentic architectural properties. Model safety issues that constitute misuse or misalignment rather than exploitable security vulnerabilities are excluded. Classical software vulnerabilities in AI infrastructure — a SQL injection in a model training pipeline’s web interface, an authentication bypass in a model serving endpoint — are excluded when those components have no agentic properties and the vulnerability class is well-served by the affected vendor’s existing CNA.
Vulnerabilities in AI-adjacent systems that are not themselves agentic — a vulnerability in a vector database used by a RAG system, for instance — are excluded when the vulnerability does not depend on or amplify agentic properties. If, however, the same vector database vulnerability enables persistent memory poisoning against an agent that uses that store as its authoritative memory source, the resulting agentic failure mode falls within scope for joint coordination.
2.3 Relationship to Adjacent CNAs
The agentic AI technology stack overlaps with the scopes of several existing CNAs whose products are heavily represented in agentic deployments. Anthropic, OpenAI, Google, Microsoft, and NVIDIA each hold vendor CNAs covering their respective AI platform products. GitHub holds a CNA covering the GitHub Actions and Copilot ecosystems. The key coordination principle is that CSAI CNA scope is defined by the vulnerability class — agentic behavioral properties — not by the affected product’s vendor. When a vulnerability in an Anthropic product or MCP implementation involves agentic behavioral failure modes beyond classical software weaknesses, CSAI and Anthropic’s CNA coordinate on joint evaluation and consistent record publication. The specific deduplication protocol governing these relationships is defined in Section 8 of this manual.
3. Vulnerability Intake and Triage
3.1 Submission Channels
The CSAI CNA operates three primary intake channels designed to accommodate the range of researcher relationships, organizational security programs, and disclosure contexts that produce agentic vulnerability reports. The primary channel is the CSAI security disclosure portal at security.csai.foundation, which provides a structured submission form collecting the information required for initial triage: the submitting researcher’s contact information, the affected system or component, the vulnerability description, reproduction evidence, and the submitter’s disclosure timeline preferences. The form accepts structured text and file attachments for reproduction evidence, with explicit guidance that agentic vulnerability reproduction evidence may take the form of conversational transcripts, probabilistic reproduction statistics, or behavioral descriptions rather than traditional proof-of-concept code.
The second channel is the dedicated intake address [email protected], which provides a lower-friction path for researchers who have established relationships with CSAI staff, who are submitting follow-on reports related to previously disclosed vulnerabilities, or who are coordinating on multi-party disclosure scenarios. PGP encryption is available at the intake address for reports requiring confidentiality during the pre-disclosure period, and the CSAI public key is maintained on the CSAI website and major keyservers.
The third channel encompasses managed bug bounty platform integrations. CSAI maintains configured intake pipelines from HackerOne and Bugcrowd that route submissions tagged with agentic AI components directly to the CNA coordinator’s intake queue. This channel is particularly important for capturing disclosures from researchers who do not have a direct relationship with CSAI but whose submissions fall within CSAI CNA scope based on the affected component or vulnerability class.
For vulnerabilities that may warrant immediate coordination due to active exploitation or critical severity, a 24-hour emergency contact mechanism is documented in the intake portal and communicated to established researcher partners. Emergency disclosures received through this channel trigger the escalation procedures defined in Section 10.
3.2 Initial Triage Process
All submissions received through any intake channel enter an initial triage process that begins within two business days of receipt. The CNA coordinator performs the initial triage review, with technical lead involvement required for any submission that involves novel agentic failure modes not previously encountered in the CNA’s case history, potential CVSS scores of 8.0 or higher, or apparent multi-vendor scope requiring coordination.
Initial triage evaluates four questions in sequence. First: is the submission within CSAI CNA scope under the three-part conjunctive test defined in Section 2? Second: is the submission eligible for CVE assignment under the CVE program’s current rules — specifically, is the vulnerability independently fixable and capable of public disclosure in a security advisory? Third: has this vulnerability already been assigned a CVE ID by another CNA, either in published or reserved state? Fourth: does the submission contain sufficient technical detail to proceed to full evaluation, or does the triage team need to request additional information from the submitter?
Initial triage does not make a final determination on whether to assign a CVE ID. It makes one of four routing decisions: accept for full evaluation and assign to the technical lead; refer to another CNA as better-suited to the submission’s scope profile; reject as ineligible (with explanation to the submitter); or request additional information from the submitter with a defined response timeline.
3.3 Triage Decision Framework
The following framework structures the triage routing decision. Triage staff apply this framework consistently but exercise judgment in ambiguous cases, and any case where reasonable staff members would reach different conclusions is escalated to the technical lead for resolution.
| Scenario | Routing Decision |
|---|---|
| Clearly agentic behavioral vulnerability, no existing CVE, submitter is original discoverer | Accept for full evaluation |
| Classical software vulnerability in agentic component but no agentic amplification | Refer to vendor CNA (with explanation and contact information) |
| Agentic behavioral failure in product covered by vendor CNA with AI scope | Accept for joint coordination with vendor CNA |
| CVE ID already assigned and published by another CNA | Reject as duplicate (provide existing CVE reference) |
| CVE ID reserved by another CNA, submission conflicts | Initiate deduplication coordination per Section 5.3 |
| Model safety issue, no agentic exploitation pathway | Reject as out of scope (provide referral guidance to AI safety organizations) |
| Active exploitation with critical severity indicators | Accept and trigger escalation per Section 10 |
| Insufficient technical detail to evaluate scope | Request additional information (10-business-day response window) |
3.4 Researcher Communication Standards
CSAI CNA communication standards reflect the reality that coordinated vulnerability disclosure functions on the trust and goodwill of the research community. Researchers who submit vulnerabilities are extending professional cooperation that the CNA must reciprocate with responsiveness, transparency, and respect for the submitter’s time and expertise.
Initial acknowledgment is sent within two business days of receipt through the same channel the submission arrived on. The acknowledgment confirms receipt, assigns a tracking number, and sets the expectation that the submitter will receive a routing decision within ten business days. If additional information is required, the request for information is sent within five business days and specifies exactly what information is needed and why.
Following the triage routing decision, the submitter receives a notification that includes the decision, the rationale, and — if accepted — the preliminary disclosure timeline and next-steps process. Subsequent status updates are provided at minimum every thirty days during the active evaluation period, and at every material event: CNA evaluation complete, CVE ID reserved, vendor notified, disclosure date confirmed, CVE record published.
When a submission is rejected as out of scope or ineligible, the notification includes specific reasoning rather than a generic rejection, and where possible identifies the appropriate CNA or organization to whom the submitter might redirect the report. When a submission is referred to another CNA, CSAI staff make a warm introduction to the receiving CNA’s intake contact when an established relationship exists, rather than merely providing the submitter with a cold referral.
Researchers who identify themselves as independent (not affiliated with a vendor or bug bounty program) and who submit vulnerabilities with material security impact are recognized in the published CVE record’s acknowledgments section unless they request anonymity. CSAI does not operate a bug bounty program with financial compensation, but it maintains a researcher recognition program and actively advocates for vulnerability submission credit with affected vendors during coordinated disclosure.
4. Severity Assessment Methodology
4.1 CVSS v4.0 Application for Agentic Vulnerabilities
CSAI CNA uses CVSS v4.0 as its base severity scoring methodology, consistent with current CVE program and NVD practice [10]. CVSS v4.0 introduced several improvements over v3.1 that are particularly relevant to agentic vulnerability scoring: the Attack Requirements (AT) metric, which distinguishes vulnerabilities requiring specific preconditions from those exploitable in any configuration; the granular separation of Subsequent System Impact (MSI, MSA, MSC) from Vulnerable System Impact, which better captures blast radius in systems with complex interconnections; and the Threat (T) metric group, which allows CNA-provided scores to reflect real-world exploitation activity [11].
CSAI applies CVSS v4.0 base scores to all accepted vulnerabilities, using the following interpretations for the base metric group in agentic contexts. Attack Vector (AV) for agentic vulnerabilities typically scores as Network when the vulnerability is exploitable by content delivered through any network-accessible channel the agent processes — email, retrieved documents, API responses, web content — even when the agent itself is not directly network-accessible from the attacker’s position. This reflects the principle that an agent’s attack surface extends to all content sources it ingests, not only to its network-facing interfaces. Attack Complexity (AC) scores Low for vulnerabilities requiring only that an attacker deliver adversarial content through a channel the agent processes in normal operation, without requiring any specific pre-existing foothold or precise timing. Attack Requirements (AT) scores Present for agentic vulnerabilities that are only exploitable when specific context conditions are met — for example, a memory poisoning attack that requires the agent to have processed prior attacker-controlled content to reach an exploitable state.
For Privileges Required (PR), CSAI’s interpretation acknowledges that many agentic vulnerabilities require no system access at all — the attack path operates entirely through the agent’s instruction-following behavior. PR scores None when the attack can be initiated by delivering adversarial content through any channel the agent processes without authenticated access to the agent’s infrastructure. User Interaction (UI) scores None when exploitation does not require any action by a human user beyond the normal use of the system: the agent’s autonomous operation is sufficient to trigger the vulnerability when adversarial content is present.
The impact metrics require particular care. When the Vulnerable System (VS) is the agent itself and the agent operates with broad tool access — file system read/write, API access to enterprise systems, shell command execution — the actual impact on the broader environment is determined by the Subsequent System (SS) impact metrics. CSAI scores Subsequent System Confidentiality (MSC), Integrity (MSI), and Availability (MSA) against the systems accessible to the agent through its authorized tool grants, not merely against the agent’s own data. An agent with access to enterprise email, file storage, and CRM systems that is compromised through goal injection should score High on all three Subsequent System impact dimensions regardless of what the agent’s own code directly reads or writes.
4.2 Agentic-Specific Supplemental Metrics
CVSS v4.0’s Supplemental metric group, which does not affect the numeric score but provides additional context for organizational risk assessment, is used by CSAI CNA to capture agentic-specific properties that the base metrics cannot express [10]. CSAI defines five supplemental annotations appended to CVSS v4.0 records for agentic vulnerabilities.
Behavioral Reproducibility (BR) indicates the consistency with which the vulnerability manifests: Deterministic for vulnerabilities that reproduce on every attempt under specified conditions; Probabilistic for vulnerabilities that reproduce in a defined percentage of attempts; and Context-Dependent for vulnerabilities that require specific conversational history, memory state, or environmental conditions that cannot be reliably reproduced in a test environment. BR affects disclosure timeline decisions but not base score.
Agent Authorization Footprint (AAF) characterizes the permission scope of the compromised agent: Minimal for agents with narrowly scoped, read-only, or low-consequence tool grants; Standard for agents with production system access typical of enterprise assistant deployments; and Elevated for agents with administrative, financial transaction, code execution, or infrastructure management authority. AAF is the primary input to Subsequent System impact scoring and is documented explicitly in the CVE record to help practitioners assess applicability to their own deployments.
Persistence Potential (PP) indicates whether the vulnerability enables effects that survive the end of the attack session: None for vulnerabilities whose effects terminate when the agent session ends; Memory-Persistent for vulnerabilities that can modify the agent’s long-term memory store; and Cross-Session for vulnerabilities enabling effects that persist across multiple agent sessions or propagate to other agents in a multi-agent system.
Delegation Chain Depth (DCD) indicates whether the vulnerability can propagate through a multi-agent hierarchy: None for vulnerabilities limited to a single agent; Single-Hop for vulnerabilities that the compromised agent can propagate to one level of sub-agents; and Multi-Hop for vulnerabilities that can traverse multiple levels of an agent orchestration hierarchy.
Human Oversight Bypass (HOB) indicates whether exploitation requires or involves circumventing human review mechanisms: Not Applicable for systems without human oversight gates; Intact for exploits that function despite human oversight being present; and Bypassed for exploits that specifically circumvent designed human review mechanisms.
These five supplemental metrics are recorded in a structured annotation field in the CSAI CVE record format extension and are included in NVD submissions alongside the standard CVSS v4.0 vector.
4.3 Special Assessment Considerations
Three vulnerability categories present assessment challenges that require explicit methodology beyond the standard CVSS application guidance.
Behavioral vulnerabilities — failures in which an agent’s observed behavior is harmful but no specific code defect can be identified as the proximate cause — present the most significant assessment challenge. For this class, CSAI’s technical lead evaluates whether the behavior constitutes a vulnerability under the CVE program’s rules (which require an independently fixable flaw, not merely harmful capability) or whether it represents a model safety issue better addressed through the AI safety rather than vulnerability disclosure framework. When a behavioral vulnerability passes this threshold — typically because it is triggered by a specific, documented input pattern that a reasonable developer would consider exploitable — CSAI assesses exploitability based on the accessibility of the triggering input pattern and impact based on the full scope of agent tool access.
Goal misalignment issues, in which an agent can be induced to pursue objectives contrary to its authorized mission through manipulation of its instruction context, planning state, or memory, are assessed with particular attention to the Persistence Potential supplemental metric. A goal misalignment that resets when the agent session ends is materially less severe than one that persists in long-term memory or propagates through a delegation chain. CVSS Subsequent System impact scores for goal misalignment vulnerabilities reflect the full capability of the compromised agent, not merely what the attacker directed the agent to do in the exploitation scenario.
Multi-agent cascading failures — vulnerabilities in which compromise of one agent propagates harm to other agents in the same orchestration pipeline — require that CVSS scoring capture the maximum extent of the cascade, not merely the directly compromised component. When a vulnerability in a subordinate agent can propagate to an orchestrating agent with higher privilege, the score reflects the orchestrator’s impact potential. The Delegation Chain Depth supplemental metric explicitly flags these cases for practitioners integrating CSAI CVE records into their vulnerability management programs.
4.4 Escalation Criteria
Any accepted vulnerability that scores 9.0 or above on the CVSS v4.0 base score, or that scores 7.0 or above in combination with an AAF rating of Elevated and a PP rating of Memory-Persistent or Cross-Session, triggers the escalation procedures defined in Section 10. Active exploitation confirmed in the wild triggers immediate escalation regardless of score. Vulnerabilities affecting multiple vendors or spanning multiple CSAI-scope components trigger multi-vendor coordination per Section 8 rather than standard single-vendor procedures.
5. CVE ID Assignment Workflow
5.1 ID Reservation Process
CVE ID assignment in the CSAI CNA follows the standard CVE program procedures for CNA-level ID assignment, adapted for the behavioral and non-deterministic characteristics of agentic vulnerability reports. When the technical lead completes full evaluation of an accepted submission and concludes that CVE assignment is appropriate, the CNA coordinator requests a CVE ID block from MITRE through the CVE Services API using CSAI’s registered CNA credentials. CSAI maintains a standing block of reserved IDs for operational efficiency, drawing from the block as evaluations complete rather than requesting individual IDs for each assignment.
ID reservation occurs at the point of confirmed scope eligibility and CVE program eligibility, not at initial triage acceptance. The distinction matters because initial triage acceptance means only that a submission warrants full evaluation — full evaluation may ultimately conclude that the reported behavior does not meet the CVE program’s “independently fixable” threshold, or that the vulnerability was already assigned a CVE ID in reserved state by another CNA discovered during the deduplication check.
Upon reservation, the CSAI CNA coordinator notifies the submitting researcher of the reserved CVE ID, the anticipated disclosure timeline, and any conditions or extensions to the standard timeline that apply to the specific case. The reserved ID is not published to the CVE list at this stage; it appears in the CVE list only in reserved state until the coordinated disclosure process concludes and the record is published.
5.2 ID Reservation vs. Publication
A reserved CVE ID is one that has been allocated to a specific vulnerability but whose technical details have not yet been published to the CVE list. CSAI maintains reserved CVEs in a non-public tracking system during the pre-disclosure period. The reserved ID is shared with the affected vendor, the submitting researcher, and any coordination partners (other CNAs, CERT/CC, sector ISACs) on a need-to-know basis during the embargo period.
Publication occurs when the coordinated disclosure timeline concludes: the affected vendor has released a patch or advisory, the embargo period has elapsed, and the technical details of the vulnerability are ready for public release. CSAI’s technical lead prepares the complete CVE record in CVE JSON 5.0 format prior to the publication date, ensuring that the record is ready for submission to the CVE Services API on the publication day without requiring day-of preparation under time pressure.
In exceptional cases where a vulnerability is published without a patch — because the vendor has not responded within the coordinated disclosure timeline or because active exploitation makes delayed disclosure harmful — CSAI publishes the CVE record with the disclosure details available and updates the record when a fix becomes available.
5.3 Handling Duplicate Reports
Duplicate detection is performed at two points: initial triage (checking whether an ID has been assigned or reserved) and immediately prior to ID reservation (a final check against current CVE program records and coordination partner reserved blocks). CSAI maintains direct communication channels with the CNA operations contacts at Anthropic, OpenAI, Microsoft, GitHub, and NVIDIA specifically to enable rapid duplicate resolution in the agentic technology stack where scope overlap is most frequent.
When a duplicate is identified at triage, the submitter is notified with the existing CVE reference and, where the ID is already published, the public record. When a duplicate is identified during the ID reservation step — indicating that another CNA has reserved an ID for the same vulnerability during CSAI’s evaluation period — CSAI contacts the other CNA to determine whether the reserved record covers the same vulnerability, whether the agentic properties of the vulnerability have been captured in that CNA’s record, and whether supplemental agentic metadata should be contributed to the other CNA’s record rather than creating a new ID.
When CSAI identifies agentic properties in a vulnerability that has already been assigned a CVE by another CNA’s scope, CSAI may contribute an enriched analysis to the existing CVE record through the NVD enrichment process rather than creating a parallel CVE. This approach avoids ID fragmentation while ensuring that agentic vulnerability properties are documented in the authoritative record.
5.4 Coordinated Disclosure Timelines
CSAI’s standard coordinated disclosure timeline is ninety days from the date the affected vendor is notified of the vulnerability. This timeline aligns with the Google Project Zero standard that has become the de facto industry norm and provides vendors sufficient time to develop, test, and deploy a fix for most vulnerability classes [12]. The timeline begins from vendor notification, not from the date of researcher submission to CSAI, and vendor notification occurs within five business days of CSAI completing full evaluation.
Extensions to the ninety-day standard timeline are available under specific conditions. An extension of up to forty-five days may be granted when the vendor is actively engaged in remediation and provides a credible patch release date within the extension window. Multi-vendor vulnerabilities that require coordinated patch releases across multiple products may receive a timeline extension up to sixty days to accommodate the logistical complexity of multi-vendor coordination. Vulnerabilities involving complex agentic architectural issues that require significant framework-level changes — rather than patch-level fixes — may receive extensions on a case-by-case basis approved by the CSAI technical lead and documented in the case record.
Accelerated disclosure applies when active exploitation is confirmed in the wild, when the vulnerability is being actively weaponized, or when a researcher has evidence that the vulnerability has been independently discovered by additional parties who may publish without coordination. Accelerated disclosure timeline decisions are made by the CSAI technical lead in consultation with the submitting researcher, the affected vendor, and — for critical-severity cases — CISA’s vulnerability coordination team.
6. Publication Process
6.1 CVE Record Format and Required Fields
CSAI publishes CVE records in CVE JSON format version 5.0, the current standard format for CVE program submissions [13]. All CSAI CVE records include the following fields populated beyond the CVE program’s minimum requirements.
The cveMetadata section includes the standard fields (cveId, assignerOrgId, state) plus a CSAI-specific submitterOrgId field when the submitting researcher is affiliated with an organization, and a CSAI-specific discoveryMethod field indicating whether the vulnerability was found through coordinated disclosure, independent research, bug bounty, or active-exploitation response.
The descriptions array includes a complete English-language description of the vulnerability that provides sufficient technical detail for a practitioner to understand the vulnerability class, the exploitation scenario, the affected component, and the conditions required for exploitation. CSAI descriptions for agentic vulnerabilities explicitly identify the agentic properties that make the vulnerability class distinct from classical software vulnerabilities in the same codebase, the behavioral conditions under which the vulnerability manifests, and the scope of agent capabilities that determine the maximum impact.
The affected array includes, in addition to standard product and version information, a CSAI-extension field identifying the agentic framework layer (using MAESTRO layer nomenclature) most directly implicated in the vulnerability.
The metrics array includes the CVSS v4.0 base score vector with all applicable metric values, followed by CSAI’s five supplemental agentic metrics in a structured annotation using the CVSS v4.0 Supplemental metric group’s extension mechanism.
The references array includes the vendor advisory, the researcher’s original disclosure report where public, and CSAI’s published technical analysis. For all accepted vulnerabilities, CSAI publishes a separate technical advisory on the CSAI website that provides the extended agentic context, OWASP ASI category mapping, MAESTRO layer analysis, and AICM control domain cross-reference that the CVE record format cannot fully accommodate.
6.2 Advisory Publication and Notification
Upon coordinated disclosure publication, CSAI executes a simultaneous multi-channel notification sequence. The CVE record is submitted to the CVE Services API for publication to the CVE list. The CSAI technical advisory is published to the CSAI website at a pre-staged URL that has been shared with coordination partners under embargo. CSAI’s threat intelligence feed (structured as a STIX 2.1 bundle) is updated with the new vulnerability record and distributed to registered subscribers. An alert is posted to the CSAI public disclosure channels, including the CSAI mailing list and the Agentic AI Security community forum maintained as part of the AI Risk Observatory program.
NVD notification occurs through the standard CVE program publication mechanism: upon CSAI’s CVE Services API submission, the record becomes available for NVD processing according to NVD’s own enrichment timelines. CSAI provides pre-populated NVD enrichment data — CVSS v4.0 scores and CPE identifiers — in the CVE record at publication, minimizing the NVD analysis backlog for CSAI-published records.
CERT/CC is notified for all agentic vulnerabilities scoring 8.0 or above and for all multi-vendor coordination cases, consistent with the established CERT/CC coordination role for high-impact cross-vendor disclosures. CISA’s vulnerability coordination team is notified for all critical-severity (9.0+) cases and for any agentic vulnerability that affects products deployed in critical infrastructure contexts.
6.3 Publication SLAs
CSAI’s target publication timelines reflect operational commitments made to the research community and the CVE program. The target mean time from CVE ID reservation to CVE record publication is thirty days for vulnerabilities where a patch is available at the time of CSAI evaluation completion. For vulnerabilities requiring coordinated disclosure with vendor remediation, publication occurs within five business days of the disclosure date established in the coordinated disclosure agreement. For emergency disclosures triggered by active exploitation, publication occurs within 48 hours of the escalation trigger.
CVE record quality review — a final check of record completeness, technical accuracy, and format compliance prior to submission — is completed by the CNA coordinator with technical lead sign-off for records with CVSS base scores of 8.0 or above. Records that fail quality review are returned to the technical lead for correction before submission, and publication is delayed rather than allowing an inaccurate or incomplete record to enter the CVE list. The CSAI position is that a delayed accurate record is preferable to a timely inaccurate one.
6.4 Embargo Management
Pre-publication vulnerability information in CSAI’s possession is managed under strict embargo controls. All individuals with access to non-public vulnerability information — CSAI staff, technical advisory panel members involved in specific cases, coordination partners — are required to acknowledge embargo obligations in writing at the time of disclosure. The embargo agreement specifies the terms of the embargo period, the permitted uses of non-public vulnerability information (remediation planning, internal risk assessment, patch development), and the consequences of unauthorized disclosure.
CSAI maintains a documented embargo list tracking all active embargoes, the parties who have received non-public information, the disclosure date, and any extensions or acceleration decisions. Embargo list review is a standing agenda item in weekly CNA operations meetings. When evidence emerges of potential embargo breach — a published blog post referencing undisclosed details, an unusual increase in scanning activity targeting a specific component, or a researcher reporting that they have seen the vulnerability discussed in non-public forums — CSAI’s technical lead immediately assesses whether accelerated disclosure is warranted and notifies the affected vendor and CERT/CC.
7. Dispute Resolution
7.1 Scope of Disputes
The CVE program requires all CNAs to maintain a documented dispute resolution process covering challenges to CNA scope determinations, CVE ID assignment decisions, and published CVE record accuracy [9]. CSAI recognizes four categories of dispute that its process must accommodate. Scope disputes arise when a party contends that CSAI CNA lacks authority over a specific vulnerability, either because it falls outside the agentic AI scope definition or because it properly belongs to another CNA’s scope. Assignment disputes arise when a party contends that a vulnerability does not meet CVE eligibility criteria — that it is not independently fixable, does not affect an identifiable product, or constitutes a model safety issue rather than an exploitable vulnerability. Record accuracy disputes arise when a party contends that a published CVE record contains factual errors in the vulnerability description, CVSS scoring, affected product information, or supplemental metadata. Deduplication disputes arise when a CNA contends that CSAI has assigned a CVE ID to a vulnerability for which another CNA has already assigned or reserved an ID.
7.2 Dispute Intake and Assignment
Disputes are submitted in writing to [email protected], identifying the CVE ID or submission tracking number in question, the category of dispute, the factual or analytical basis for the challenge, and the relief requested (rescission, scope transfer, record correction, or other). Disputes are acknowledged within three business days of receipt. The CNA coordinator assigns each dispute to the CSAI technical lead for initial assessment, with the CNA coordinator and a designated technical advisory panel member as reviewers.
7.3 Review Process and Decision Authority
The technical lead conducts an initial assessment within fifteen business days of dispute receipt. The initial assessment reviews the submitted basis for the dispute against the relevant scope criteria, assignment eligibility rules, or published record content, and produces one of three preliminary findings: the dispute is substantiated and CSAI will take the requested corrective action; the dispute is partially substantiated and CSAI will take a modified corrective action; or the dispute is not substantiated and CSAI will maintain its original determination.
The preliminary finding is shared with the disputing party with the full reasoning. The disputing party has ten business days to accept the preliminary finding or to submit additional evidence or argument for the technical lead’s reconsideration. If additional materials are submitted, the technical lead produces a final determination within ten business days of receipt, which constitutes CSAI’s final position.
CSAI’s technical lead has authority to make final determinations on record accuracy disputes and assignment eligibility disputes. Scope disputes and deduplication disputes where CSAI and another CNA cannot reach agreement through the bilateral dispute process are escalated to MITRE’s CNA program office as the Root CNA authority for resolution. The CSAI technical lead informs the disputing CNA’s operational contact of the escalation and cooperates fully with MITRE’s review process.
7.4 Appeals and Escalation to MITRE
Any party who believes CSAI’s final determination on a dispute is inconsistent with the CVE program’s rules or materially harmful to the security community may escalate the dispute to MITRE’s CNA program office through the standard CVE program dispute escalation process. CSAI does not contest escalations to MITRE — it views MITRE’s oversight role as a structural safeguard for the CVE program’s integrity and cooperates with MITRE review processes without adversarial posture. CSAI’s response to a MITRE escalation includes full documentation of the dispute record and CSAI’s reasoning at each decision step.
Outcomes of MITRE-resolved disputes are implemented by CSAI within five business days of MITRE’s final determination, without requiring further internal review. CSAI incorporates the guidance from resolved disputes into its operational procedures and, where a MITRE determination reveals a genuine ambiguity in CSAI’s scope definition or assignment criteria, updates this manual accordingly.
8. Integration with the CNA Ecosystem
8.1 MITRE as Root CNA: Coordination Requirements
CSAI CNA operates within the CVE program hierarchy as a CNA reporting through the standard Root CNA structure. CSAI complies with all CNA Rules v4.1.0 requirements including annual CNA quality review participation, timely response to MITRE program inquiries, participation in CNA working group activities relevant to agentic vulnerability taxonomy, and reporting of annual CNA performance metrics to the program [9]. The CNA coordinator is the designated primary contact for MITRE program communications, with the technical lead as the designated backup.
CSAI participates actively in the CNA Community Forum discussions on vulnerability eligibility criteria, record quality standards, and taxonomy evolution, specifically contributing perspective on the challenges that agentic vulnerability classes pose to the program’s existing frameworks. CSAI’s proposed CWE extension categories for agentic failure modes — documented in the companion research note “CVE and CWE Agentic Vulnerability Catalog” — are submitted to the CWE program through MITRE’s standard CWE contribution process, and CSAI advocates for their adoption in CNA program forums.
For vulnerabilities that fall outside CSAI’s scope and outside any other CNA’s scope, CSAI refers submitters to MITRE’s intake process ([email protected]) as the CVE Program Root’s catch-all assignment function. CSAI does not attempt to expand its scope to cover vulnerabilities outside the defined agentic AI domain simply because they would otherwise fall through the CNA ecosystem’s coverage gaps.
8.2 Adjacent CNAs: De-duplication Protocols
CSAI maintains formal operational coordination relationships with the CNAs whose scopes are most likely to overlap with agentic AI vulnerability disclosures. These relationships involve direct staff-to-staff contact at the operational level, not merely awareness of each CNA’s public-facing intake channels. The coordinating CNAs and their primary overlap domains are documented in the following table.
| CNA | Primary Overlap Domain | Coordination Trigger |
|---|---|---|
| Anthropic | Claude, Claude Code, MCP implementations | Any vulnerability involving Anthropic products with agentic behavioral properties |
| OpenAI | GPT-4o, Operator, Swarm framework | Any vulnerability involving OpenAI products with agentic behavioral properties |
| Microsoft | Copilot, Azure AI, AutoGen | Any vulnerability in Microsoft agentic products; EchoLeak-class indirect prompt injection affecting M365 |
| GitHub | GitHub Copilot, Actions with AI integration | Vulnerabilities in GitHub product agentic features |
| NVIDIA | NIM microservices, CUDA-based agent infrastructure | Vulnerabilities in NVIDIA’s agentic infrastructure products |
| Gemini agents, Vertex AI pipelines | Vulnerabilities in Google agentic products |
The de-duplication protocol for cases where both CSAI and a vendor CNA have received the same disclosure is as follows. The first CNA to reserve an ID notifies the other CNA through the direct staff contact within one business day of reservation. The two CNAs review their respective evaluations and determine whether the reserved record covers the same vulnerability (indicating a true duplicate) or covers a different aspect of a related vulnerability (indicating a potential need for separate records with a cross-reference relationship). In the duplicate case, CSAI typically defers to the vendor CNA’s record and offers to contribute its agentic supplemental metadata as enrichment to that record. In the related-but-distinct case, CSAI publishes its record with an explicit related-CVE reference pointing to the vendor CNA’s record.
8.3 NVD Data Sharing
CSAI submits all published CVE records to NVD through the standard CVE program publication mechanism. In addition, CSAI provides NVD with pre-populated enrichment data at the time of record publication: CVSS v4.0 base score vectors, CPE identifiers for affected products, and a reference to the CSAI technical advisory. This enrichment reduces NVD’s analysis burden and ensures that CSAI’s agentic supplemental metrics are available in NVD records rather than only on the CSAI website.
CSAI participates in NVD’s enrichment partnership program and maintains an ongoing dialogue with NVD staff on the challenges of CPE matching for agentic vulnerability records, where the affected component is often a behavior class rather than a discrete software package version. CSAI proposes that NVD introduce a structured field for agentic component type (agent framework, agentic protocol, orchestration runtime) to complement the existing product/version CPE structure, and advocates for this enhancement through the formal NVD engagement process.
8.4 ISAC and ISAO Notification
For critical and high-severity agentic vulnerabilities affecting sectors with established information-sharing communities, CSAI notifies the relevant ISAC or ISAO on a pre-disclosure basis when the affected organizations are likely to include critical infrastructure operators. The Financial Services ISAC (FS-ISAC) receives pre-disclosure notification for agentic vulnerabilities in platforms with significant financial services deployment, given the high authorization footprints of AI agents in financial workflows and the systemic risk potential of compromised agents in that sector. The Health-ISAC receives notification for agentic vulnerabilities in healthcare AI platforms and clinical AI agents. The IT-ISAC receives notification for agentic vulnerabilities with broad enterprise technology platform applicability.
ISAC notifications occur in parallel with vendor notification, under the same embargo controls, and include the CVE ID, the affected platform, the severity assessment, and the anticipated disclosure date. CSAI requests that ISACs use the pre-disclosure period to alert their member organizations to assess deployment exposure, prepare defensive measures, and plan patch deployment rather than to share technical details publicly before the coordinated disclosure date.
9. Staffing and Tooling
9.1 Minimum Staffing Model
CSAI CNA requires a minimum operational team of three full-time roles to execute the functions defined in this manual at a target intake volume of two to four new submissions per week, consistent with the observed rate of agentic vulnerability disclosures in early 2026 and projected to grow as agentic AI production deployments scale through the year.
The CNA Coordinator (1.0 FTE) is responsible for all intake processing, researcher communications, CVE ID reservation requests through the CVE Services API, record submission to the CVE list, coordination with external partners on routine deduplication and adjacent CNA coordination, dispute intake and tracking, and CNA program compliance reporting. This role requires familiarity with the CVE program’s operational rules and processes, strong written communication skills for researcher-facing interactions, and project management discipline for the concurrent case management that sustained intake volume requires.
The Technical Lead (1.0 FTE) is responsible for all full evaluations of accepted submissions, CVSS v4.0 scoring with agentic supplemental metrics, scope determinations in ambiguous cases, multi-vendor coordination requiring technical judgment, technical advisory panel coordination, CVE record quality review for high-severity records, dispute technical assessments, and CSAI CNA representation in CVE program working groups. This role requires deep technical expertise in agentic AI system architecture, LLM security research, and the specific frameworks and protocols constituting the current production agentic ecosystem. Prior experience with vulnerability research, CVE program participation, or CNA operations is required.
The Knowledge Management and Intelligence Specialist (1.0 FTE) is responsible for maintaining the CSAI public agentic vulnerability database (which aggregates agentic CVEs from all sources, not only CSAI-assigned records), publishing CSAI technical advisories, maintaining the CSAI threat intelligence feed, managing CWE extension proposal submissions to the CWE program, maintaining the OWASP ASI and MAESTRO cross-reference mappings in CVE record metadata, and producing the CSAI CNA annual performance report. This role requires a combination of technical writing skill, knowledge management discipline, and familiarity with the security knowledge frameworks (OWASP, MITRE ATLAS, MAESTRO, AICM) that CSAI uses for CVE record enrichment.
The minimum team is supplemented by a Technical Advisory Panel: a rotating group of five to seven subject matter experts drawn from the CSA AI Safety Initiative research community, each serving one-year terms. Panel members provide domain expertise for complex evaluations — particularly for vulnerability reports involving novel agentic failure modes not previously encountered in the CNA’s case history — and review CWE extension proposals before submission to the CWE program. Panel members are not full-time CSAI staff; their commitment is approximately four to eight hours per month plus availability for specific case consultations as requested by the technical lead.
As intake volume grows, CSAI projects the need to expand to a four-person team (adding a second CNA Coordinator or a second Technical Lead depending on the distribution of complex versus routine cases) at approximately eight to ten submissions per week sustained over a quarter.
9.2 Required Tooling
The CSAI CNA tooling stack addresses five functional requirements: intake management, case tracking, CVE record authoring, researcher portal management, and quality and performance metrics.
The intake and case tracking system must support structured intake forms for the three submission channels, automated routing to the appropriate queue based on triage keywords and component tags, case state tracking through the full lifecycle from initial receipt to CVE record publication, timeline management with automated alerts for approaching deadlines, communication log maintenance for all researcher and partner interactions, and access control that prevents non-public vulnerability information from being accessible to individuals not involved in the specific case. JIRA with custom workflows or a purpose-built vulnerability management platform such as those used by established CNAs provides this functionality. The system must integrate with the CVE Services API for ID reservation and record submission.
The CVE record authoring environment must enforce the CVE JSON 5.0 schema, validate all required CSAI-extended fields, provide the CVSS v4.0 base metric calculator with CSAI’s agentic-specific interpretation guidance embedded in the tool’s help text, and generate the agentic supplemental metric annotation in the required structured format. CSAI’s technical advisory panel reviews the CVSS interpretation guidance annually against evolving agentic vulnerability patterns to ensure the guidance remains current.
The researcher portal — the public-facing component of the intake and tracking system — provides submission forms for all three intake channels, PGP key retrieval, submission status tracking for active cases under embargo, and the public CSAI agentic vulnerability database. The database’s public interface allows search and filtering by CVE ID, affected component, OWASP ASI category, MAESTRO layer, and CVSS score range, providing practitioners with a structured discovery tool for agentic vulnerability intelligence.
9.3 Quality Metrics and Performance Targets
CSAI measures CNA operational quality through six key performance indicators reviewed monthly by CNA management and annually in the CSAI CNA report submitted to the CVE program.
Mean Time to Acknowledge (MTTA) measures the calendar time from submission receipt to initial acknowledgment to the researcher, with a target of two business days and a maximum threshold of five business days. Mean Time to Triage (MTTT) measures the calendar time from submission receipt to triage routing decision, with a target of ten business days. Mean Time to Assign (MTTA-Assign) measures the calendar time from confirmed scope eligibility to CVE ID reservation, with a target of five business days after full evaluation completion. Mean Time to Publish (MTTP) measures the calendar time from CVE ID reservation to CVE record publication in the CVE list, with a target of thirty days for patched vulnerabilities and five business days after the coordinated disclosure date for vulnerabilities on defined timelines.
Record Completeness Rate measures the percentage of published records that include all CSAI-required extended fields — CVSS v4.0 score, agentic supplemental metrics, OWASP ASI mapping, MAESTRO layer annotation, and CSAI technical advisory reference — with a target of 100%. Researcher Acknowledgment Rate measures the percentage of published CVE records in which the discovering researcher receives public credit in the acknowledgments field (adjusted for researchers who request anonymity), with a target of 95%.
10. Escalation Procedures for High-Severity Agentic Vulnerabilities
High-severity agentic vulnerability escalation is the operational scenario that places the greatest demand on CSAI CNA’s resources, coordination capacity, and judgment. When an escalation trigger is activated, the standard intake and triage timelines give way to an accelerated process designed to minimize the window between CSAI’s awareness of a critical vulnerability and the availability of defensive guidance to the community.
An escalation is triggered by any of the following: a CVSS v4.0 base score of 9.0 or above on any accepted submission; confirmed active exploitation in the wild regardless of score; a vulnerability with an AAF rating of Elevated, a PP rating of Cross-Session, and a score above 7.0; or a multi-agent cascading failure affecting three or more distinct organizations’ deployments in a coordinated incident. The CNA coordinator who first identifies an escalation trigger immediately notifies the technical lead and initiates the escalation protocol, regardless of the time of day or day of week.
Within four hours of escalation trigger activation, the technical lead produces a preliminary severity assessment and confirms or downgrades the escalation determination. A confirmed escalation triggers simultaneous notification to: the affected vendor’s PSIRT contact; CERT/CC’s vulnerability coordination team; CISA’s vulnerability coordination team for vulnerabilities affecting products with critical infrastructure deployments; and the sector-specific ISACs identified as relevant based on deployment profile. These notifications include the preliminary severity assessment, the CVE ID (reserved immediately upon escalation confirmation), and CSAI’s initial analysis of the exploitation scenario.
The coordinated response timeline for a confirmed critical-severity escalation compresses the standard disclosure process. Vendor notification occurs simultaneously with CVE ID reservation. A maximum of seven days is provided for the vendor to produce an emergency advisory or patch, extendable to fourteen days only when the vendor provides credible evidence that a fix is imminent and active exploitation has not been confirmed. If no patch or advisory is available at the end of the vendor response window, CSAI publishes a limited public advisory — describing the vulnerability class, severity, and recommended mitigations including disabling or restricting the affected agent capability — concurrent with the CVE record publication. Full technical details are embargoed until a fix is available, but the existence of the vulnerability and the recommended defensive actions are made public.
For agentic vulnerabilities that are actively being weaponized against production deployments, CSAI does not withhold defensive guidance behind a vendor patch timeline. The community’s defensive need supersedes the vendor’s preference for coordinated patch-and-announce disclosure. CSAI communicates this position to vendors at the outset of any coordinated disclosure process, so that the operating expectation is set before an escalation scenario arises.
Post-escalation, CSAI publishes a case retrospective documenting the escalation timeline, the coordination actions taken, the effectiveness of the process, and any process improvements identified. These retrospectives are shared with CERT/CC and the CVE program as input to the continuous improvement of coordinated disclosure practices for high-severity agentic vulnerabilities.
References
[1] Cloud Security Alliance, “Cloud Security Alliance Launches CSAI Foundation With Mission of ‘Securing the Agentic Control Plane,’” CSA Press Release, March 23, 2026. https://cloudsecurityalliance.org/press-releases/2026/03/23/csa-securing-the-agentic-control-plane
[2] MITRE Corporation, “CVE Program Overview,” cve.org. https://www.cve.org/about/overview
[3] MITRE Corporation / CVE Program, “List of Partners: CVE Numbering Authorities,” cve.org. https://www.cve.org/PartnerInformation/ListofPartners
[4] CISA, “CISA Root Common Vulnerability and Exposures Numbering Authority for Industrial Control Systems,” cisa.gov. https://www.cisa.gov/resources-tools/programs/cisa-root-common-vulnerability-and-exposures-numbering-authority-industrial-control-systems
[5] heyuan110, “MCP Security 2026: 30 CVEs in 60 Days — What Went Wrong,” March 10, 2026. https://www.heyuan110.com/posts/ai/2026-03-10-mcp-security-2026/
[6] Cloud Security Alliance AI Safety Initiative, “CVE and CWE Agentic Vulnerability Catalog: Weakness Classes Introduced by Autonomous AI Agents,” CSAI Foundation Research Note, March 27, 2026.
[7] Cloud Security Alliance, “Agentic AI Threat Modeling Framework: MAESTRO,” CSA Blog, February 6, 2025. https://cloudsecurityalliance.org/blog/2025/02/06/agentic-ai-threat-modeling-framework-maestro
[8] Cloud Security Alliance, “AI Controls Matrix,” CSA Artifacts. https://cloudsecurityalliance.org/artifacts/ai-controls-matrix
[9] MITRE Corporation / CVE Program, “CVE Numbering Authority (CNA) Operational Rules v4.1.0,” cve.org. https://www.cve.org/Resources/Roles/Cnas/CNA_Rules_v4.1.0.pdf
[10] FIRST, “CVSS v4.0 Specification Document,” first.org, November 2023. https://www.first.org/cvss/v4-0/
[11] FIRST, “CVSS v4.0 User Guide,” first.org. https://www.first.org/cvss/v4.0/user-guide
[12] Google Project Zero, “Vulnerability Disclosure FAQ,” googleprojectzero.blogspot.com. https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-faq.html; CERT/CC, “Disclosure Timing,” CERT Guide to Coordinated Vulnerability Disclosure. https://certcc.github.io/CERT-Guide-to-CVD/howto/coordination/disclosure_timing/
[13] CVE Project, “CVE JSON Record Format,” cveproject.github.io. https://cveproject.github.io/cve-schema/schema/docs/
[14] OWASP GenAI Security Project, “OWASP Top 10 for Agentic Applications for 2026,” December 2025. https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/
[15] authzed, “A Timeline of Model Context Protocol (MCP) Security Breaches,” authzed Blog. https://authzed.com/blog/timeline-mcp-breaches
[16] JFrog Security Research, “Critical RCE Vulnerability in mcp-remote: CVE-2025-6514,” JFrog Blog. https://jfrog.com/blog/2025-6514-critical-mcp-remote-rce-vulnerability/
[17] NCC Group / SOCRadar, “CVE-2026-25253: 1-Click RCE in OpenClaw Through Auth Token Exfiltration,” February 2026. https://socradar.io/blog/cve-2026-25253-rce-openclaw-auth-token/
[18] CISA, “Coordinated Vulnerability Disclosure Program,” cisa.gov. https://www.cisa.gov/resources-tools/programs/coordinated-vulnerability-disclosure-program
[19] Zenity Labs / MITRE, “Zenity & MITRE ATLAS Expand AI Agent Attack Coverage,” Zenity Blog, October 2025. https://zenity.io/blog/current-events/zenity-labs-and-mitre-atlas-collaborate-to-advances-ai-agent-security-with-the-first-release-of