Coordinated Disclosure for AI: Beyond Security Vulnerabilities

This legal action ignited a heated debate, contributing to a growing series of lawsuits against AI providers [9-11, 54]. This incident underscores the inadequacy of current AI harm reporting mechanisms, leaving small harmed parties with limited recourse unless backed by substantial legal support or media awareness, despite the recognized potential for improving AI systems by exposing issues [78]. Current AI accountability initiatives primarily rely on periodic audits, emphasizing repetitive assessments but lacking a structured reporting framework for user-identified issues post-deployment. This audit-centric paradigm is reflected in influential policies such as the U.S. Executive Order on AI [93], the EU's draft AI Act [43], and New York City's Local Law 144[69]. However, this approach falls short when compared to the more comprehensive Coordinated Vulnerability Disclosure(CVD) processes standard in software security. Coordinated Vulnerability Disclosure (CVD) plays a crucial role as a mechanism for independent researchers to report newly identified vulnerabilities to affected vendors and the public [58]. This process enables transparent remediation before potential exploitation by malicious actors and has become a vital practice enshrined in government regulations and industry standards. Notably, the FDA mandates the implementation of CVD programs for medical device companies to enhance cybersecurity[96]. While CVD has demonstrated effectiveness in traditional software security, its direct application to machine learning (ML) systems faces unique challenges.