RSS

Signs That AI-Assisted Vulnerability Discovery Is Reshaping Disclosure Volumes

speckx1 pts0 comments

The First CVE Wave: Signs That AI-Assisted Vulnerability Discovery Is Reshaping Disclosure Volumes | Blog | VulnCheck

The 2026 VulnCheck Exploit Intelligence report is here<br>Learn More

Sign In / Join Sign In

Go backMay 14, 2026The First CVE Wave: Signs That AI-Assisted Vulnerability Discovery Is Reshaping Disclosure Volumes<br>Patrick Garrity<br>in/patrickmgarrity/

cveai

Key Takeaways:<br>ul]:my-0">CVE disclosure volumes are up sharply year-to-date (YTD) across several software suppliers, including Chrome (+563.2%), VMware (+180.9%), Apache (+170.3%), Mozilla (+156.9%), HPE (+132.3%), and F5 (+113.8%).<br>ul]:my-0">GitHub CVE issuance is also up significantly YTD (+476.07%), with GitHub indicating the increase is spread across many reporters and projects rather than concentrated in one source.<br>ul]:my-0">The increases are consistent with broader use of AI-assisted vulnerability discovery, though the signal is still emerging and not all increases can be directly attributed to AI.<br>ul]:my-0">Public examples from Mozilla, Microsoft, Apache, Curl, and Palo Alto show AI models being used to find, validate, or triage vulnerabilities, with mixed results depending on the project.<br>ul]:my-0">What is less clear is whether these volumes will be sustained, or whether this is a temporary surge as frontier AI models are applied across different code bases.<br>ul]:my-0">Defenders should prepare for higher vulnerability volumes while continuing to use threat intelligence to prioritize emerging threats that are being actively exploited or likely to be.<br>Since the start of this year, I've been watching for evidence of AI-assisted vulnerability discovery in publicly disclosed CVE volumes. The early signals were noisy. Our "code]:outline-0 [&>code]:border-dashed hover:[&>code]:border-primary hover:[&>code]:text-primary focus-visible:[&>code]:border-primary focus-visible:[&>code]:text-primary transition-colors [&>code]:transition-colors">report a vulnerability" service saw a flood of submissions that, frankly, started as slop. But over the past few months, the quality of incoming submissions has noticeably improved, and the underlying volume hasn't subsided.<br>Then on April 7, 2026, Anthropic announced code]:outline-0 [&>code]:border-dashed hover:[&>code]:border-primary hover:[&>code]:text-primary focus-visible:[&>code]:border-primary focus-visible:[&>code]:text-primary transition-colors [&>code]:transition-colors">Project Glasswing and Claude Mythos Preview, and the conversation shifted hard. Anthropic claimed Mythos had already identified thousands of zero-day vulnerabilities across every major operating system and web browser. Rather than releasing the model publicly, they funneled access to a coalition of partners, including AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks, plus several other organizations.<br>The cybersecurity industry's response was a mix of awe, fear, uncertainty, and doubt, which prompted two questions: At what scale is AI-assisted vulnerability discovery real? And at what scale would we see it in the public disclosure of vulnerabilities? Which led me to building a list tracking code]:outline-0 [&>code]:border-dashed hover:[&>code]:border-primary hover:[&>code]:text-primary focus-visible:[&>code]:border-primary focus-visible:[&>code]:text-primary transition-colors [&>code]:transition-colors">Anthropic attributed CVEs We are now two Patch Tuesdays past the Glasswing announcement, and the signals are starting to emerge.<br>To put the results in perspective, I started by looking at the top 20 CVE Numbering Authorities and their CVE issuance volume over the past five years and found clear indications across several projects of the likely impact AI-assisted vulnerability discovery is having on public disclosures of vulnerabilities.<br>CVE Issuance Trends - Top Software Suppliers

Digging in a bit deeper, I decided to look at the top Software Suppliers and their year-over-year growth to better understand what significant changes might be happening. From the chart above we can see some notable increases across Chrome (+563.2%), Mozilla (+156.9%), VMware (+180.9%), Apache (+170.3%), HPE (+132.3%), F5 (+113.8%), among several others. In addition to these, GitHub's 476.07% increase highlights accelerated vulnerability disclosure across a high volume of open source projects.<br>The evidence appears to point to emerging AI models that have enabled software suppliers and security researchers to discover and remediate vulnerabilities that would have likely gone overlooked otherwise.<br>Digging Into Noteworthy Software Suppliers and Open Source Projects<br>To provide some visibility into the emerging trend of AI-assisted vulnerability discovery, we took a deeper look at several of the software suppliers and open source projects.<br>GitHub (Open Source Project)

During the same window in which our submission queue was experiencing its AI-driven surge, GitHub was seeing its own...

code primary vulnerability border assisted discovery

Related Articles

Elevated error rates on requests to multiple models

recroad9 ptsclaude incident islands rates elevated error

Donald Trump and sons to be 'forever' exempt from tax audits

doener9 ptsdigital access newsletters premium financial times

PopuLoRA: Co-Evolving LLM Populations for Reasoning Self- Play

AMavorParker8 ptstasks model training self populora play

Old Reddit Is Down

Crunsher7 ptsdata autoplay videoplayerelement comments function false

The ultimate female fantasy – A feminist critique of Beauty and the Beast

muge6 ptsbeast story paglia beauty older butler
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.