A weakness in software, systems, or models that could be exploited to cause harm; CVE (Common Vulnerabilities and Exposures) is the standardized system for identifying and cataloging such weaknesses. Traditional software vulnerabilities in AI systems or components follow established CVE disclosure and patching processes–and these processes may be required for some systems due to regulations like the EU AI Act and Cyber Resilience Act (CRA). AI-specific vulnerabilities like prompt injection and jailbreaks are less standardized; MITRE ATLAS and OWASP Top 10 for LLMs provide emerging taxonomies but lack CVE-style universal identifiers. Contracts should address vulnerability disclosure timelines, patching obligations, and notification requirements for both software and model-level vulnerabilities. When evaluating vendor security posture, assess both traditional vulnerability management (CVE monitoring, patch cadence) and AI-specific security practices.
See: Cyber Resilience Act; Incident response; OWASP Top 10 for LLMs; Prompt injection; Security