AI Companies to Play Bigger Role in CVE Program, Says CISA

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is positioning artificial‑intelligence developers as essential partners in the nation’s most critical vulnerability database. By urging firms like OpenAI and Anthropic to become official CVE Numbering Authorities, CISA hopes to tap the rapid pattern‑recognition abilities of large language models to keep pace with an ever‑growing threat landscape. This outreach aligns with CISA’s broader diversification agenda, which already added consumer and researcher working groups in 2025 and now boasts over 500 CNAs worldwide.

Anthropic’s Claude Mythos Preview and OpenAI’s GPT‑5.4‑Cyber exemplify the next generation of AI‑assisted security tools. Mythos, limited to 40 members of Project Glasswing, reportedly uncovered thousands of zero‑day flaws and even chained vulnerabilities in the Linux kernel, while GPT‑5.4‑Cyber is offered through a trusted‑access program for vetted defenders. Although early tests show promise, experts caution that these models must be vetted before market release to avoid exposing untested attack vectors. The balance between accelerated discovery and responsible deployment will shape regulatory and industry standards.

The CVE program’s growth trajectory underscores the urgency of this collaboration. Forecasts predict a record‑breaking 70,135 CVE entries in 2026, a 45% jump from the prior year, driven by both human researchers and AI‑powered scanners. Funding remains secure despite a DHS shutdown, allowing CISA to continue expanding outreach and support for new CNAs. As AI firms potentially join the CNA roster, the CVE ecosystem could achieve unprecedented scale and diversity, delivering faster remediation cycles for enterprises and critical infrastructure alike.