Anthropic formalizes disclosure rules for Claude-discovered vulnerabilities
Original: Coordinated vulnerability disclosure for Claude-discovered vulnerabilities View original →
On Mar 6, 2026, Anthropic published a coordinated vulnerability disclosure policy for vulnerabilities discovered with assistance from Claude. The company says every report it sends will be reviewed and confirmed by a human security researcher, and findings that originate from AI-powered discovery will be explicitly labeled as such.
The policy sets a default 90-day disclosure deadline from the initial report to public disclosure. If a maintainer needs more time near the end of that window, Anthropic says it may grant a 14-day extension on request. For actively exploited critical vulnerabilities, the timeline is much shorter: Anthropic targets a patch or mitigation within 7 days and may allow an additional 7 days if the maintainer is actively working on a fix.
Anthropic also lays out how it wants to reduce operational burden on vendors and open-source maintainers. It says it will include candidate fixes where possible, avoid dropping large volumes of findings on a single project without coordination, and escalate to an external vulnerability coordinator if a maintainer does not respond within 30 days. For ecosystem-wide issues that affect many projects, the company says it will notify affected parties and give them time to respond before technical details become public.
Another notable detail is the publication buffer after a patch exists. Anthropic says it will generally wait 45 days before releasing full technical details so downstream users have time to deploy fixes. That delay can be shortened if the information is already public or if earlier publication would materially help defenders respond to ongoing attacks. It can also be extended when remediation is unusually complex or the affected footprint is unusually broad.
The update matters because AI-assisted vulnerability discovery is moving from demonstration to operational workflow. Anthropic is trying to show that frontier-model tooling can fit inside established disclosure norms instead of bypassing them. That makes the policy relevant not only for Claude users, but also for software vendors, open-source maintainers, and security teams deciding how AI should participate in offensive security research and coordinated disclosure.
Related Articles
Anthropic said on March 5, 2026 that it had received a supply-chain risk designation letter from the Department of War. The company says the scope is narrow, plans to challenge the action in court, and will continue transition support for national-security users.
Anthropic published a March 6, 2026 case study showing how Claude Opus 4.6 authored a working test exploit for Firefox vulnerability CVE-2026-2796. The company presents the result as an early warning about advancing model cyber capabilities, not as proof of reliable real-world offensive automation.
Claude Code Security, announced February 20, uses AI reasoning to scan codebases for vulnerabilities and found 500+ undetected bugs in production open-source code. Cybersecurity stocks fell sharply on the news.
Comments (0)
No comments yet. Be the first to comment!