Press "Enter" to skip to content

CMU Researchers Bridge AI Platform Security Gap

Artificial intelligence is increasingly pervasive, but with its rise, a critical issue has emerged: the replication of AI flaws across multiple platforms. Until recently, there was no standardized way to report and address these vulnerabilities. Researchers at Carnegie Mellon University’s Software Engineering Institute (SEI), in collaboration with academic and industry partners, have developed a solution named Flaw Reporting for AI (FLARE-AI). This open-source platform empowers users to report AI vulnerabilities, directing them to the right entities for action.

Addressing the AI Security Challenge



Lauren McIlvenny

Lauren McIlvenny, technical director of threat analysis at SEI and advisor to FLARE-AI, highlights the previous lack of a formal reporting structure for AI flaws. Often, these vulnerabilities were only reported to individual vendors, leaving broader systemic issues unaddressed. McIlvenny explains, “A reporter might spot a problem in a particular model or system, but they’re not looking across all the vendors and third-party integrators to see if they share the same structural weakness.”

FLARE-AI allows users to submit a detailed, machine-readable report of AI vulnerabilities. These reports can then be forwarded to various entities, including government agencies, incident databases, and AI model developers, who can coordinate the necessary actions to mitigate the flaws.

Applying Cybersecurity Best Practices to AI

FLARE-AI leverages established cybersecurity reporting mechanisms, such as the Vulnerability Information and Coordination Environment (VINCE). Developed by the SEI’s CERT Coordination Center (CERT/CC), VINCE facilitates the examination and dissemination of AI flaw reports received from FLARE-AI. Greg Strom, an SEI software engineer, contributed to integrating FLARE-AI with VINCE.

Once a report is submitted, experts from CERT/CC and the SEI’s AI Security Incident Response Team (AISIRT) assess the issue and work with vendors to address it. McIlvenny states, “By integrating FLARE-AI into VINCE and our coordinated vulnerability disclosure process, we’ll be able to provide cross-platform examination.”

Recent federal initiatives emphasize the need for coordinated AI vulnerability management. FLARE-AI and its associated organizations are poised to play a crucial role in these efforts.

Building a Secure AI Community

The development of FLARE-AI was driven by a collective effort from AI and security experts, sparked at a 2024 workshop on AI evaluation. McIlvenny, a speaker at the workshop, contributed to a paper that served as a blueprint for FLARE-AI.

According to McIlvenny, fostering a collaborative approach to AI security is vital. She remarked, “The whole community recognizes the importance of AI. Now AI researchers need to come into the security field, learn what they can and change it where it needs to be changed.”

The SEI has long facilitated the convergence of AI and cybersecurity disciplines, enhancing the maturation of AI technologies. McIlvenny observes, “The AI community is starting to learn the cybersecurity processes that they could adopt or adapt. FLARE-AI is a place for them to find out how AI flaws fit into the world of coordinated vulnerability disclosure.”

Read More Here

Comments are closed.