Responsible disclosure in the age of AI: A call for urgent action

For the last four decades, we have allowed the information and communications technology (ICT)—software and hardware industry — to deliver flawed products under the principle: “field it fast and fix it later” (Hathaway 2019). That principle changed in April 2026, when Anthropic and OpenAI released frontier artificial intelligence (AI) models aimed at improving the security posture of every enterprise, critical infrastructure and government system. These models can autonomously find and exploit vulnerabilities in production software at a depth and speed that previously required experienced human researchers. In fact, they collapsed the time window from sixty days to about four hours. Now a race against the clock begins because finding a vulnerability and fixing it are two entirely different workflows, and the gap between them is where companies find themselves most vulnerable. Now it is time to reconcile the technology debt that we have incurred from these companies that prioritized profit and speed to market over security, privacy, and safety.

The imperative to build trusted products, especially software, dates back to the early 1990s as part of the United States’ Strategic Defense Initiative (SDI). The Trusted Software Methodology was a joint project between General Electric and ATT with the National Security Agency (NSA) acting as an advisor on information security of the SDI (COMPASS ’93, Eighth Annual Conference on Computer Assurance 1993). 85% of the methodology was simply good software engineering practices to prevent accidental security flaws. The other part of the methodology introduced rigorous operational and developmental constraints to prevent malicious insiders from intentionally injecting backdoors or malicious code into the software and ultimately the end product (COMPASS ’93, Eighth Annual Conference on Computer Assurance 1993). It was the first notion of delivered uncompromised technology. In 1995, this methodology was adopted at Carnegie Mellon’s Software Engineering Institute’s (SEI) and expanded its Capability Maturity Model (CMM). This harmonization produced the Trusted CMM (T-CMM), aiming to embed security assurances directly into standard software process improvement frameworks (Davis
2013).

NSA defined this as software assurance. “The level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its lifecycle, and that the software functions in the intended manner” (Committee on National Security Systems 2015). Despite the methods and best practices being published, industry was not incentivized to create a good product, nor was it penalized for delivering a bad one. Cybersecurity professionals were trying to defend against a steady increase in adversarial and criminal exploitation of systems, and there was no patching cadence or prioritization that could be used. This inspired David E. Mann and Steven M. Christey to write and present a workshop paper entitled Towards a Common Enumeration of Vulnerabilities (Mann and Christey 1999). Of course, this is now the accepted global standard—the Common Vulnerabilities and Exposures (CVE™) identifier and subsequent scoring system.

Read more at The Cyber Defense Review