Policy Pulse - Week of June 20, 2026 | Issue #20

Write-ups and Disclosures
1

Policy Pulse - Issue #20 | Week of June 20, 2026

Your weekly briefing on cybersecurity policy affecting vulnerability disclosure and security research.

Top Story

Three days after Anthropic shipped an offensive cyber model to vetted defenders, the US government invoked export-control authority to pull it. The first government recall of a deployed frontier cyber model is now a precedent, and the disclosure community is downstream of all of it.

On June 9, Anthropic released Claude Fable 5 and Mythos 5 (Anthropic). Mythos 5 is the same underlying model as Fable 5 with the safeguards lifted in some areas, and Anthropic does not soften what it does: Mythos-class models “excel at discovering and exploiting software vulnerabilities” and show “strong skills in agentic hacking,” meaning they can chain reconnaissance, discovery, and exploitation rather than just find a single bug. Mythos 5 was distributed only to authorized cyberdefenders through Project Glasswing, built in collaboration with the US government, with external red-teaming reporting no universal jailbreaks in over 1,000 hours of testing.

On June 12, that collaboration produced a reversal. The US government, “citing national security authorities, has issued an export control directive to suspend all access” to both Fable 5 and Mythos 5, and Anthropic disabled the models for every customer worldwide, including its own employees abroad, to comply (Anthropic). The stated trigger was a narrow, non-universal jailbreak: a method of prompting the model to read a codebase and fix flaws, which Anthropic characterizes as a routine capability available in competing models. Anthropic publicly disagreed: “We disagree that the finding of a narrow potential jailbreak should be cause for recalling a commercial model deployed to hundreds of millions of people,” adding that government authority to block unsafe deployments should run through “a statutory process that is transparent, fair, clear, and grounded in technical facts,” and that this action did not meet that bar.

This is the policy story the disclosure community has been waiting to see resolve. For two issues we have tracked the gap between AI cyber capability and the infrastructure meant to govern it. Here is the first concrete government intervention against a deployed model, and the lever was not a vulnerability-disclosure standard or a coordination mandate. It was export control. A national-security recall tool built for weapons and dual-use technology has now been pointed at a commercial AI product, with no published technical threshold and no appeal process visible from the outside. The model that was “developed in consultation with the US government” was suspended by that same government 72 hours into deployment.

Why it matters for VDP: Export control is now an active governance lever over offensive-capable AI, and it operates with none of the transparency norms the disclosure community has spent two decades building. If “AI reads a codebase and fixes flaws” can trigger a national-security recall, program operators and tool vendors should expect both more AI-sourced submissions and more regulatory scrutiny of the tooling that produces them, governed by a process they cannot see or comment on.

Throwback: In Issue #19, we covered EO 14409 building a classified benchmark to assess “covered frontier models” and a voluntary 30-day pre-release window. This week the government skipped the benchmark and went straight to a recall, which tells you how fast the policy clock is now running relative to the rulemaking it is supposed to follow.

Upcoming Deadlines & Events

  • June 26, 2026: NIST IR 8500A (BloSS@M, blockchain-based software asset management with NVD-integrated vulnerability identification) public comment closes. The closest deadline in this slate and the most directly tied to the disclosure pipeline. (NIST CSRC)
  • July 2, 2026: NIST SP 800-228A (Guidelines for Secure Deployment of RESTful Web APIs) public comment closes. APIs are the dominant modern bug-bounty target class. (NIST CSRC)
  • July 6, 2026: NIST IR 8323r2 (PNT/GPS resilience profile, rebuilt on Cybersecurity Framework 2.0) public comment closes. (NIST CSRC)
  • July 8, 2026: NIST SP 1800-41 (Responding to and Recovering from a Cyber Attack, Manufacturing Sector) public comment closes. (NIST CSRC)
  • ~July 2, 2026 (EO 14409 +30 days): CISA Binding Operational Directives (Sec 2(c)) and the Treasury-led AI cybersecurity clearinghouse (Sec 2(d)) are due. (White House)
  • July 25, 2026: NIST must submit a formal action plan responding to the Commerce OIG report on its management of the National Vulnerability Database. (Help Net Security)
  • August 24, 2026: Petitions for new and renewal DMCA Section 1201 exemptions are due in the Copyright Office’s tenth triennial rulemaking. The security-research exemption is in play for 2027 through 2030. (Copyright Office)
  • September 11, 2026: EU Cyber Resilience Act reporting obligations go live, including a 24-hour early-warning clock for actively exploited vulnerabilities. (ENISA)
  • September 28, 2026: Written comments on DMCA Section 1201 renewal petitions due. (Copyright Office)

This Week in Policy

Federal Strategy & Regulation

  • A planned NDAA amendment would give the CVE program a statutory home inside CISA. A proposed amendment to the fiscal 2027 National Defense Authorization Act would formally establish CISA’s authority over the Common Vulnerabilities and Exposures program, create a 15-member CVE Board to set program policy and priorities, require a joint CISA and NIST modernization plan, and write vulnerability enrichment into CVE’s formal mission (Nextgov/FCW). No sponsoring lawmaker is named in the reviewed text yet. This is the legislative answer to the 2025 MITRE funding scare: stability through statute rather than an annual contract. Throwback: Issue #19 noted CVE funding was secured as a protected budget line in January. This would harden that into law and add governance.

CVE & Vulnerability Programs

  • BOD 26-04 retires the fixed-deadline KEV model, and this week’s KEV adds are the first under it. CISA’s Binding Operational Directive 26-04 (issued June 10) revokes BOD 22-01, the 2021 directive that created the Known Exploited Vulnerabilities catalog and its aggressive fixed-deadline remediation. Remediation urgency is now scored on four variables (Asset Exposure, KEV Status, Exploit Automation, Technical Impact), with CISA’s own Vulnrichment program named as the enrichment service that publishes the scores (CISA). Coordinators advising federal customers can no longer say “it is on KEV, patch it by the deadline.” The deadline is now a risk computation.
  • Four CVEs hit KEV this week, all internet-exposed and exploit-automatable. CISA added CVE-2026-20253 (Splunk Enterprise, missing authentication enabling unauthenticated file creation or truncation), CVE-2026-20262 (Cisco Catalyst SD-WAN Manager, path traversal allowing arbitrary file write), CVE-2026-54420 (LiteSpeed cPanel Plugin, symlink-following on shared hosting), and CVE-2026-48907 (Joomla Content Editor, improper access control enabling unauthenticated PHP execution) (CISA KEV, catalog version 2026.06.18). Two SIEM/network-management targets and two mass-hosting targets: exactly the profile the new BOD 26-04 matrix scores as top urgency.

AI & Emerging Tech Security

  • Project Glasswing expansion: discovery is now cheap, and Anthropic says so out loud. Anthropic’s June 2 update expanded Glasswing from roughly 50 to about 150 organizations across more than 15 countries (power, water, healthcare, communications, hardware), with initial partners finding more than 10,000 high or critical severity flaws (Anthropic). The institutional admission is the headline: “the bottleneck in cybersecurity is now verifying, disclosing, and patching the large numbers of vulnerabilities.” Anthropic also warns that within 6 to 12 months many other AI companies will have Mythos-class models, and some may ship them without safeguards. Throwback: Issue #19 reported the May 22 milestone (530 reported, 75 patched). The number is now 10,000+ found, and the patch gap is the whole story.
  • Anthropic maps a year of AI-enabled attacks and finds MITRE ATT&CK does not fit. Reviewing 832 accounts banned for malicious cyber activity from March 2025 to March 2026, Anthropic found 560 of them (67.3%) used AI for malware writing, and the share of actors rated medium risk or higher rose from 33% to 56% across the year (Anthropic). Its conclusion: “There is no ATT&CK ID for this type of agentic orchestration.” Anthropic is engaging MITRE to evolve the framework, which is a concrete, near-term governance proposal the disclosure community should track.
  • UK AISI open-sources its evaluation stack. On June 18, the UK AI Security Institute released its Engineering Playbook along with Inspect AI and 200+ pre-built Inspect Evals, already adopted by METR and Apollo Research (AISI). This is general evaluation infrastructure, not a new cyber-capability eval, but it lowers the barrier for third parties to run frontier evaluations (including cyber) on shared, auditable tooling. Note the contrast with the US export-control posture above: one ally open-sources the means of evaluation while the US classifies its benchmark and recalls the model.

Legal & Researcher Protections

  • A quiet week on the docket, which keeps the August 1201 deadline as the live event. No new CFAA reform bill, DOJ charging-guidance update, or in-window security-research ruling published between June 13 and 20; the Federal Register returned zero relevant Section 1201 or CFAA documents for the window. The standing catalyst is unchanged: petitions to renew and expand the DMCA Section 1201 good-faith security-research exemption are due August 24 in the tenth triennial rulemaking (Copyright Office). This remains file-or-lose for the 2027 through 2030 exemption term.

International Developments

  • UK NCSC reframes cyber as a “contest” and puts a 2028 clock on AI exploitation. At the RUSI Annual Security Lecture on June 19, NCSC chief Richard Horne reported the agency managed more than 200 incidents against UK critical national infrastructure in the past year, roughly 75% linked to Russia, China, and Iran, and projected that by 2028 attackers will use AI to exploit known vulnerabilities in legacy systems at scale (Industrial Cyber). The 2028 horizon is a direct argument for faster coordinated disclosure and remediation now, while the patch window still exists.
  • Australia hardens its critical-infrastructure baseline. Australia’s Cyber and Infrastructure Security Centre unveiled the Enhanced CIRMP Rules 2026 on June 18, expanding obligations across nine asset classes to mandate phishing-resistant MFA, critical and non-critical system segregation, AI and legacy-system risk assessment, and foreign-ownership supplier evaluation, with additional requirements commencing in 2027 (Industrial Cyber). The UK, EU, and Australia are now moving in lockstep on the critical-infrastructure regulatory scaffolding that disclosure obligations attach to.

Worth Reading

Friends of disclose.io

Inti De Ceukelaire: the human case for coordinated disclosure in an AI-flooded week

In a week defined by a machine that finds vulnerabilities by the thousand, it is worth featuring the human end of the craft. Inti De Ceukelaire is one of the most recognizable ethical hackers in Europe, HackerOne’s 2018 Most Valuable Hacker, and the Head of Hackers at Intigriti, the Belgium-based bug bounty platform and CVE Numbering Authority. He has spent his career proving that the value of a disclosure is not just the bug, it is the judgment, the context, and the responsible handoff around it.

That is exactly the part the Glasswing numbers cannot automate. When a model surfaces 10,000 high and critical flaws and the bottleneck becomes verifying, disclosing, and patching them, the scarce resource is no longer discovery. It is the coordination skill, the maintainer relationships, and the good-faith process that researchers like Inti have spent years building and teaching. His public work, including his live hacking demonstrations and his ongoing focus on AI-era security, is a running argument that disclosure is a human discipline first.

For a community staring down machine-scale submission volume, that is the reassuring and the urgent message at once: the tooling will keep getting faster, and the human judgment around it is about to matter more, not less.

Why his work matters this week:

  • Intigriti, where Inti leads the hacker community, is a CVE Numbering Authority and one of the platforms that will absorb the intake-and-triage load as AI-discovered reports scale.
  • His public education work reframes ethical hacking as a respected, good-faith profession, the cultural foundation every safe-harbor and VDP framework depends on.
  • He consistently puts the coordinated, human side of disclosure forward, which is the exact capability the AI-discovery wave is about to stress-test.

:page_facing_up: Connect with Inti De Ceukelaire on LinkedIn

The week’s top story is about a model being pulled by export control. The quieter story underneath is that the people who do coordinated disclosure well are the ones who turn a flood of findings into actual fixes. That human layer is precisely what disclose.io exists to support.

Policy Pulse is a weekly bulletin from disclose.io. Keeping the security research community informed on policy that affects our work.

Have a tip or want to contribute? Reply to this email, reach out on Twitter/X, or drop a comment here!