91视频

Skip to main content
a black screen shows code
Researchers at 91视频's Software Engineering Institute helped develop FLARE-AI, a new open-source platform that enables users to report AI flaws and coordinate responses across developers, vendors and government agencies.

91视频 Researchers Help Close a Critical Security Gap Across AI Platforms

Software Engineering Institute experts helped develop a new open-source platform for reporting and coordinating responses to AI flaws

Media Inquiries
Name
Cassia Crogan
Title
University Communications & Marketing

An AI flaw that can be found today in one model could be quietly replicated across dozens of products and services built on the same underlying technology. Until now, the AI community has lacked a formal pathway to report those flaws, alert affected vendors and coordinate a response. Researchers at 91视频鈥檚聽 (SEI), alongside collaborators from academia and industry, helped build one.聽 (FLARE-AI) is a new open-source platform that lets anyone report an AI vulnerability and route it to developers, vendors and government agencies equipped to act.聽

Closing the AI security gap

Lauren McIlvenny

Lauren McIlvenny

Without a formal reporting structure, it is likely that many AI flaws and vulnerabilities have gone unreported, according to聽, technical director of threat analysis at the SEI and an adviser to the FLARE-AI project. When flaws are reported, they are often sent to a single vendor.

鈥淎 reporter might spot a problem in a particular model or system, but they鈥檙e not looking across all the vendors and third-party integrators to see if they share the same structural weakness,鈥 McIlvenny said.聽

Using the FLARE-AI website, anyone can complete a form that generates a standardized, machine-readable report about an AI flaw, vulnerability or incident. The user can then tell the system to submit the report to independent third parties such as the SEI, government agencies, incident databases, AI model-hosting platforms or AI model developers. From there, the receiving organization can address the flaw directly or coordinate disclosure and remediation among affected vendors.

Bringing proven cybersecurity practices to AI

The system mirrors longstanding mechanisms for reporting software vulnerabilities, such as the聽 platform run by the SEI鈥檚聽.

VINCE is one of the reporting pathways that FLARE-AI connects to, thanks to the back-end work of Greg Strom, an SEI software engineer who was also an adviser to the project. Once VINCE receives a flaw report from FLARE-AI, experts from the CERT/CC and the SEI鈥檚聽 will review the report and, if warranted, arrange disclosure with affected developers, vendors and integrators.

鈥淏y integrating FLARE-AI into VINCE and our coordinated vulnerability disclosure process, we鈥檒l be able to provide cross-platform examination,鈥 said McIlvenny. 鈥淲e can issue CVE (Common Vulnerabilities and Exposures) IDs and vulnerability notes to make sure all affected tool vendors, third-party integrators and users know about the flaw. That鈥檚 what traditional cybersecurity processes are going to bring to the table.鈥

Recent have called for stronger coordination around AI vulnerability discovery, validation and remediation, including the creation of an AI cybersecurity clearinghouse. FLARE-AI and the organizations connected to it, including CERT/CC, are positioned to be links in that reporting chain.聽

Community approach, collective security

FLARE-AI is the culmination of work by a group of AI and security researchers from academia, industry and non-profits. The seeds for the system were planted at a 2024 workshop on聽, where participants called for standardized AI flaw reports, AI disclosure programs and improved infrastructure for sharing flaw information.聽

McIlvenny, who spoke at the workshop and coauthored the聽, advised the FLARE-AI team on adapting cybersecurity and reporting practices to the emerging AI vulnerabilities she sees through her work leading AISIRT.聽

The collective approach to AI security is critical for the field, said McIlvenny.聽

鈥淭he whole community recognizes the importance of AI. Now AI researchers need to come into the security field, learn what they can and change it where it needs to be changed,鈥 she said.

As a trusted partner for government, industry and academia, the SEI has long worked to聽 the often disconnected AI and cybersecurity communities. Merging these disciplines represents an important step in the maturity of AI, one experienced by previous technology innovations such as industrial control systems and cloud computing, said McIlvenny.聽

鈥淭he AI community is starting to learn the cybersecurity processes that they could adopt or adapt. FLARE-AI is a place for them to find out how AI flaws fit into the world of coordinated vulnerability disclosure.鈥

鈥 Related Content 鈥