Cisco sharpens risk-based vulnerability disclosure for AI era

Security teams are already drowning in vulnerability lists and struggling to patch them fast enough. Now, Cisco warns that AI could amplify that pressure by accelerating vulnerability discovery and flooding teams with even more findings to triage.

The networking giant is shifting toward a risk-based disclosure model, focusing more attention on flaws currently under active exploitation or those deemed most likely to be weaponized in attacks.

“Cisco is actively leveraging advanced AI models to accelerate finding vulnerabilities and driving remediation. Deploying these models into our security processes allows us to find and fix vulnerabilities at a pace previously unattainable,” said Russ Smoak, Vice President of Information Security at Cisco.

But Smoak cautioned that defenders won’t be the only ones harnessing these tools. “At the same time, we recognize that adversaries will also take advantage of these evolving AI capabilities, increasing the urgency and complexity of cybersecurity defense.”

This new approach also changes how lower-risk findings are handled. Cisco said some internally discovered issues that once would have triggered standalone advisories may no longer be published individually. Instead, the company plans to offer higher-level summaries of software releases that include security patches and steer customers toward hardened versions. Additional technical details about software changes addressing specific findings may follow after the initial release.

Full detailed disclosures will still be issued for vulnerabilities rated critical, those under active exploitation, and flaws considered highly likely to be exploited. Cisco also confirmed that its handling of third-party and open-source vulnerabilities will remain unchanged.

“Cisco will use our voice in the vulnerability disclosure space with the intent of driving pragmatic changes that help the industry align and scale to this expected increase in volume,” Smoak added.