Reforming Coordinated Vulnerability Disclosure for the Autonomous Bug Hunter Era

Key Takeaways

• Autonomous AI systems are now discovering valid, high-severity software vulnerabilities at a scale and speed that existing coordinated vulnerability disclosure (CVD) infrastructure cannot absorb. The Forum of Incident Response and Security Teams (FIRST) projects a median of approximately 59,427 CVEs for 2026, revised upward to nearly 68,000 in its May update—volumes AI-assisted discovery is materially accelerating [1][2].
• The 90-day patch window and the human-centered norms that govern CVD were designed for individual researchers working at human speed. They do not specify who the responsible disclosing party is when the finder is an autonomous agent, how disclosure timelines should be calculated when vulnerabilities arrive in machine-volume batches, or what happens to findings that enter vendor programs and produce no CVE, no advisory, and no public record.
• Google Project Zero’s July 2025 “Reporting Transparency” initiative—which publicly announces the existence of a report within approximately one week of filing it with a vendor, and now extends to its Big Sleep AI agent—is among the first concrete policy adaptations to acknowledge that AI-speed discovery demands AI-speed accountability [3][4].
• The National Vulnerability Database’s April 2026 decision to shift to prioritized enrichment of incoming CVEs, after submission volumes rose 263 percent between 2020 and 2025, signals that the patch-and-disclose pipeline may have reached a saturation point—suggesting, at minimum, that architectural review of the enrichment layer is overdue [5][19].
• Security teams should immediately audit their vulnerability intake processes for AI-submitted reports, establish clear operator accountability policies for agentic discovery tools, and engage with emerging frameworks—including CISA’s AI Cybersecurity Collaboration Playbook and NIST’s draft Cyber AI Profile—that are beginning to address machine-speed disclosure as a governance problem [6][7].

Background

Coordinated vulnerability disclosure has been the organizing principle of software security research since the early 2000s. Under the CVD model, a researcher who discovers a vulnerability reports it privately to the affected vendor, allows a negotiated period—typically 90 days—for patch development and release, and then publishes findings publicly to inform defenders and press the remediation to completion. The model was architected around the reality of the time: individual researchers or small teams, working manually, finding vulnerabilities at a pace vendors and disclosure coordinators could manage. The incentive structures—bug bounty payouts, CVE attribution, researcher reputation—reinforced human accountability at every step.

Autonomous AI systems have systematically destabilized each of those assumptions. XBOW, an AI-powered penetration testing platform, reached the top position on HackerOne’s US leaderboard in mid-2025 after submitting approximately 1,060 vulnerability reports—including 54 classified as critical and 242 as high severity—against programs operated by Amazon, Disney, PayPal, and Sony, all generated autonomously [8][9]. Google DeepMind and Project Zero’s Big Sleep agent discovered a stack buffer underflow in SQLite (CVE-2025-6965) in July 2025 and has also found vulnerabilities across FFmpeg, ImageMagick, and other widely deployed open-source libraries [4]. HackerOne’s 2025 Hacker-Powered Security Report shows 70 percent of participating hackers now use AI in their workflows, with valid AI-assisted vulnerability reports growing 210 percent year over year, led by prompt injection findings [10].

Taken together, these cases are more plausibly early indicators of a structural shift than isolated outliers, given the trajectory of underlying model capabilities and platform adoption. The FIRST 2026 Vulnerability Forecast, published in February and substantially revised upward in May, links sharp year-over-year disclosure increases at major software suppliers to AI-assisted research: Chrome is up 563 percent, VMware up 181 percent, Apache up 170 percent, and Mozilla up 157 percent [5]. CERT-EU’s April 2026 analysis reaches similar conclusions, finding that AI is fundamentally reshaping the economics of vulnerability discovery in ways that require defenders to adapt their processes immediately [16]. The aggregate trajectory, barring material changes to model capability ceilings or regulatory constraints, points toward a new operating reality in which vulnerability discovery is no longer rate-limited by human research capacity.

The disclosure infrastructure that is supposed to receive, triage, and route these findings was not built for this reality. The NVD—the authoritative public enrichment layer for disclosed CVEs—moved in April 2026 to selective, prioritized enrichment after it could no longer keep pace with submission volume, which had grown 263 percent since 2020 [5][19]. CrowdStrike’s 2025 threat data recorded a 42 percent year-over-year increase in zero-day vulnerabilities exploited before public disclosure—a trend consistent with the time pressure AI-speed discovery creates for adversaries who can also operate at machine speed, though multiple factors contribute to the zero-day exploitation rate [11]. The gap between discovery and patch is widening in both directions: faster finding, slower absorption.

Security Analysis

The Volume Shock and the NVD Saturation Signal

The raw CVE volume forecast is significant less for the headline number than for what it reveals about pipeline architecture. FIRST’s May 2026 update projects a cumulative drift of 46.3 percent above its original forecast—an excess of roughly 6,420 CVEs over model—driven in part by AI research tools lowering the marginal cost of vulnerability discovery across the software supply chain [2]. Critically, FIRST also notes that when this surge is filtered for actual exploitability—using CISA’s Known Exploited Vulnerabilities catalog and EPSS scores above ten percent—the actionable patching burden for existing production systems remains comparatively flat [2]. The implication is counterintuitive but important: the volume shock is real, but the security risk it represents is not evenly distributed across every CVE. The pipeline crisis is one of triage and coordination, not of uniform exposure.

That distinction, however, does not diminish the structural problem. The NVD’s shift to prioritized enrichment effectively acknowledges that the public vulnerability record will, for the foreseeable future, be incomplete, with a growing backlog of formally assigned CVEs that carry no enrichment and therefore no actionable CVSS score, CWE mapping, or CPE data for the defenders and tools that depend on them [19]. When AI agents are generating valid vulnerability reports at scale and the enrichment infrastructure cannot keep pace, defenders face a scenario in which the authoritative public record underrepresents the known attack surface. Adversaries who are also running AI-assisted discovery tools operate with no equivalent constraint.

The Disclosure Norms Gap

The 90-day patch window, which Google Project Zero popularized and the security research community broadly adopted, was designed to create predictable time pressure on vendors without exposing users to indefinite risk while patches developed. It works when the unit of disclosure is a single, human-identified vulnerability reported by an identifiable researcher. It breaks down in several ways under autonomous discovery.

First, the question of who is the responsible disclosing party has no clear answer when the finder is an AI agent. XBOW reviews findings before submission, maintaining a human in the loop prior to the report reaching the vendor [9]. Big Sleep operates under Project Zero’s institutional umbrella, with accountability mechanisms established through Project Zero’s public disclosure policy [3]—a structural advantage most AI-assisted discovery deployments do not possess. But the broader ecosystem of AI-assisted bug discovery—including the 70 percent of researchers using AI as part of a workflow—contains many configurations where the boundary between human judgment and automated generation is ambiguous, and where the organizational operator of an AI tool may not have thought through their disclosure obligations before deploying it [10].

Second, machine-speed discovery creates volume patterns for which vendor intake processes were not designed. A single AI system can submit dozens of valid reports against a single program within hours. Vendors with 90-day clocks running simultaneously on large numbers of AI-generated findings face a coordination problem that is categorically different from managing a handful of reports from named researchers. The result is a pattern of findings that enter vendor bug bounty programs and produce no CVE assignment, no public advisory, and no coordinated disclosure—a transparency gap that CSA Labs has characterized as the “AI agent disclosure vacuum” [17], informally described by practitioners as the “silent bounty” problem.

Third, the attribution conventions that underpin researcher reputation and CVE naming—conventions that serve as accountability mechanisms and incentive structures—were not designed for AI-authored reports. The emerging practice of crediting AI-assisted discovery in CVE attributions—as evidenced by emerging attribution language in early-2026 vendor security advisories—is inconsistent and not governed by any standard. This matters because attribution drives behavior: clear norms about what human operators owe when they deploy AI discovery tools shape whether operators handle findings responsibly.

The Dual-Use Complication

AI vulnerability discovery tools are inherently dual-use in a way that distinguishes them from prior automation. A static analysis tool that finds buffer overflows is useful to defenders and attackers alike, but it operates on known vulnerability classes through deterministic rules. Autonomous agents that can reason about novel attack paths, chain multi-step exploits, and generate functional proof-of-concept code on demand represent a qualitative shift in what automation can accomplish without the specialized reverse engineering or exploit development expertise previously required of individual researchers. The same capability that allowed Big Sleep to identify the SQLite buffer underflow before threat actors exploited it in the wild is, in principle, available to any party that can access a capable model and point it at a target [4].

This dual-use nature creates a disclosure challenge that goes beyond the mechanics of the 90-day window. Researchers have proposed extending CVD-style frameworks to AI systems themselves—specifically the capabilities those systems possess—under the rubric of “Coordinated Flaw Disclosure” for AI and “Coordinated Disclosure of Dual-Use Capabilities” [12][13]. The argument is that certain AI capabilities, including the ability to discover and exploit novel vulnerabilities at scale, constitute a form of systemic risk that warrants early warning to defenders and policymakers before those capabilities are widely deployed, paralleling the logic of vulnerability disclosure itself [18]. The AI Safety International Report 2026 specifically identifies autonomous offensive cyber capabilities as among the AI risks warranting structured pre-deployment disclosure [14].

The current regulatory landscape provides only a partial scaffold. CISA’s JCDC AI Cybersecurity Collaboration Playbook, published January 14, 2025, establishes a voluntary information-sharing channel for AI-related cybersecurity incidents and includes agentic platforms in its reporting scope [6]. NIST’s preliminary Cyber AI Profile, released in December 2025 and built on Cybersecurity Framework 2.0, extends risk governance guidance to AI systems but does not yet address autonomous discovery as a distinct disclosure category [7]. The gap is concrete: neither framework addresses autonomous agents as disclosing parties, operator accountability for AI-generated reports, or the failure mode where AI-found vulnerabilities never reach public disclosure.

Recommendations

Immediate Actions

Organizations deploying AI tools for vulnerability research or penetration testing should immediately designate a human operator as the responsible disclosing party for all AI-generated findings, with explicit accountability for following applicable CVD procedures regardless of how the finding was generated. This policy should be documented, reviewed by legal counsel for applicable jurisdiction, and communicated to bug bounty program operators before AI-assisted submissions begin. Organizations should also audit their vendor intake processes to ensure they can track AI-sourced reports through triage and disclosure, and that no valid AI-generated finding is resolved through a silent bounty without a CVE or equivalent public record.

Bug bounty platform operators should revise their terms to explicitly address AI-submitted reports, including requirements for human review before submission, disclosure of the AI tools and operators involved, and the conditions under which automated batch submissions are permissible. HackerOne’s existing policy requiring human review of automated findings is a reasonable baseline, but it is not yet an industry-wide norm [9].

Short-Term Mitigations

Security teams should restructure vulnerability intake and triage workflows to handle AI-generated report volumes. Practically, this means implementing prioritization criteria—aligned with EPSS scores, KEV catalog inclusion, and asset criticality—before 90-day clocks begin, so that the team’s attention is directed toward the subset of AI-generated findings most likely to be exploited rather than treated as undifferentiated volume. FIRST’s analysis that the actionable patching burden remains comparatively flat even as raw CVE counts surge is a useful framing for this triage posture [2].

Organizations that rely on the NVD as a data source for patch prioritization and vulnerability management tooling should evaluate supplemental data providers for CVE enrichment, given the NVD’s move to selective enrichment. VulnCheck, CISA KEV, and commercial threat intelligence feeds that independently enrich CVE data represent mitigations for the enrichment gap the NVD’s capacity constraints have introduced [5][19].

Vendors who receive AI-generated vulnerability reports should establish explicit intake procedures that ensure every valid finding reaches the CVE assignment and disclosure process, not just bug bounty resolution. Engaging directly with CVE Numbering Authorities for guidance on AI-assisted discovery attribution is recommended as the volume of such reports increases.

Strategic Considerations

The security community needs a governance reckoning with coordinated disclosure norms that is proportional to the structural change AI discovery has introduced. The 90-day timeline, the human-researcher model of accountability, and the NVD as the authoritative enrichment layer were built for a different era. Google Project Zero’s Reporting Transparency initiative—publicly disclosing the existence of a report within approximately one week of filing to create vendor accountability without waiting for patch completion—is one concrete adaptation to AI-speed dynamics that other researchers and organizations should evaluate adopting [3][4].

CISA’s ongoing work through the JCDC, and NIST’s development of the Cyber AI Profile, are the appropriate venues for formalizing updated CVD standards that explicitly address autonomous agents as disclosing parties, establish operator accountability requirements, and create clear rules for what constitutes adequate disclosure when AI-generated findings are not resolved through a CVE or public advisory. Security practitioners, AI developers, and legal counsel should engage directly with those processes. The window for shaping standards before the volume problem further outruns the governance framework is narrow.

Longer term, the security community should engage with proposals to extend disclosure frameworks to AI capabilities themselves, not only to the vulnerabilities those systems find. A model that can autonomously discover and chain novel exploits in critical infrastructure software is a systemic risk asset in a way that warrants structured pre-deployment notification to defenders—analogous to how responsible frontier AI developers share pre-release access with governments today, but formalized for offensive cyber capability specifically. The Software Engineering Institute has made a complementary argument that CVD frameworks need updating to account for AI systems as both subject and agent of vulnerability disclosure, not solely as a research tool [15].

CSA Resource Alignment

This research note engages directly with CSA’s AI Incident Management (AICM) framework, which establishes shared security responsibility across AI supply chains including the operators who deploy autonomous discovery tools and the vendors whose systems they assess. The operator layer carries specific responsibilities under AICM for validating outputs before they act in the world—an obligation directly applicable to AI-generated vulnerability reports submitted to bug bounty programs or disclosed to third parties.

CSA’s MAESTRO threat modeling methodology addresses the multi-agent attack surface that autonomous vulnerability discovery systems inhabit: agents that interact with target systems, return findings to human operators, and trigger downstream disclosure workflows are subject to the same prompt injection, tool misuse, and lateral movement risks MAESTRO maps for agentic AI systems. Secure deployment of AI bug hunters is a MAESTRO application problem as much as it is a policy one.

The developing STAR for AI assessment program, and the catastrophic risk overlay to the AI Controls Matrix, are the natural home for controls governing offensive-capable AI systems—including autonomous vulnerability discovery agents. Organizations seeking an independent assurance vehicle for demonstrating responsible deployment of such tools should engage with STAR for AI as it matures. The CSA AI Controls Matrix (AICM) Domain 7 (Vulnerability and Patch Management) and Domain 14 (Incident Response) provide the control foundations against which AI-driven discovery programs should be assessed.

CSA’s Zero Trust guidance is relevant to the network and access segmentation controls that should govern AI vulnerability agents operating in production-adjacent environments, limiting blast radius if an agent is compromised or misused.

References

[1] Forum of Incident Response and Security Teams. “Vulnerability Forecast 2026: The Year Ahead.” FIRST, February 11, 2026.

[2] Forum of Incident Response and Security Teams. “The 2026 Vulnerability Forecast Update: Navigating the AI Epoch.” FIRST, May 22, 2026.

[3] Google Project Zero. “Policy and Disclosure: 2025 Edition.” Project Zero Blog, July 29, 2025.

[4] The Hacker News. “Google AI ‘Big Sleep’ Stops Exploitation of Critical SQLite Vulnerability Before Hackers Act.” The Hacker News, July 16, 2025.

[5] VulnCheck. “The First CVE Wave: Signs That AI-Assisted Vulnerability Discovery Is Reshaping Disclosure Volumes.” VulnCheck Blog, May 14, 2026.

[6] Cybersecurity and Infrastructure Security Agency. “CISA Releases the JCDC AI Cybersecurity Collaboration Playbook and Fact Sheet.” CISA, January 14, 2025.

[7] Cybersecurity Dive. “NIST Adds to AI Security Guidance with Cybersecurity Framework Profile.” Cybersecurity Dive, December 2025.

[8] XBOW. “The Road to Top 1: How XBOW Did It.” XBOW Blog, June 24, 2025.

[9] Tech Republic. “AI Bug Hunter Sets Milestone By Claiming Top Spot on HackerOne’s Leaderboard.” Tech Republic, June 26, 2025.

[10] HackerOne. “Hacker-Powered Security Report 2025.” HackerOne, October 2025.

[11] CrowdStrike. “Tune In: The Future of AI-Powered Vulnerability Discovery.” CrowdStrike Blog, May 2026.

[12] Cattell, Ghosh, and Kaffee. “Coordinated Flaw Disclosure for AI: Beyond Security Vulnerabilities.” arXiv:2402.07039, AIES 2024, February 2024.

[13] O’Brien et al. “Coordinated Disclosure of Dual-Use Capabilities: An Early Warning System for Advanced AI.” arXiv:2407.01420, July 2024.

[14] Bengio et al. “International AI Safety Report 2026.” arXiv, February 2026.

[15] Software Engineering Institute, Carnegie Mellon University. “Protecting AI from the Outside In: The Case for Coordinated Vulnerability Disclosure.” SEI Blog, February 24, 2025.

[16] CERT-EU. “AI Is Changing the Economics of Vulnerability Discovery. Defenders Should Adapt Now.” CERT-EU Blog, April 21, 2026.

[17] Cloud Security Alliance Labs. “The AI Agent Disclosure Vacuum.” CSA Labs, April 17, 2026.

[18] Longpre et al. “In-House Evaluation Is Not Enough: Towards Robust Third-Party Flaw Disclosure for General-Purpose AI.” arXiv, March 2025.

[19] National Institute of Standards and Technology. “NIST Updates NVD Operations to Address Record CVE Growth.” NIST, April 2026.