AI revolution? CVE disclosures jump by up to 500% for some vendors

Disclosure rates jumped sharply, with vulnerabilities reported across GitHub rising by a factor of four in the period between January and March 2026 compared to the previous 90 days.

“The number of unique reporters more than doubled,” Madison Oliver Ficorilli, staff manager at GitHub, said in a 4 April blog post.

“The number of targeted repositories more than doubled. No single reporter accounts for more than ~3 per cent of volume, and no single project accounts for more than ~7 per cent. This isn’t one person or one tool, it’s a systemic shift in how vulnerability reporting is happening across the ecosystem.”

And that’s just on GitHub. According to VulnCheck security researcher Patrick Garrity, this increase in disclosures is happening across a far wider range of companies. For instance, Chrome reported a 563.2 per cent increase in disclosure volumes for the year to date, VMware a 180.9 per cent jump, and Apache 170.3 per cent.

Mozilla, HPE, and F5 all reported similar figures. Initially, the rate of disclosures in early 2026 was made up largely of AI slop, but on 7 April, with the announcement of Claude Mythos Preview and Project Glasswing, Garrity said the conversation “shifted hard”.

“The evidence appears to point to emerging AI models that have enabled software suppliers and security researchers to discover and remediate vulnerabilities that would have likely gone overlooked otherwise,” Garrity said in a 14 May blog post.

VIEW ALL

Mozilla, according to Garrity, is a perfect example of the impact of AI-assisted vulnerability. The company recently said that since earlier this year, “the Firefox team has been working around the clock using frontier AI models to find and fix latent security vulnerabilities in the browser”. The numbers speak for themselves; in February, Firefox released 61 fixes, and 76 the next month.

In April, however, that number surged to 423 security bug fixes. Mozilla said the jump was due to its close work with Anthropic and its Mythos Preview under the purview of Project Glasswing, of which Mozilla is a member.

Google’s raw numbers of Chrome are similarly illustrative. Across the whole of 2025, Chrome was responsible for 194 CVE disclosures. So far, in 2026, that number has risen to 378 as of mid-May.

“While we haven’t seen concrete confirmation of what tools were used to drive the sudden increase, we suspect it’s related to AI discovery tools, likely some combination of Mythos and Google’s own AI models,” Garrity said.

“The trend points toward AI-assisted discovery as the most likely driver.”

The thing to watch for, according to Garrity, is whether this trend continues or if these increases simply turn out to be an AI-driven blip. Regardless, he believes defenders need to be ready.

“Most defenders are starting to see the initial impact of AI-assisted vulnerabilities in their backlogs and should plan for sustained volumes over time,” Garrity said.

“That reinforces the importance of patching early and often, updating to the latest version when possible, and using threat intelligence to prioritise emerging threats that are being actively exploited or likely to be.”