HackerOne Blog

What You Need to Know About the New AI Executive Order

Ilona Cohen
Chief Legal and Policy Officer
Digital lock with American flag

Last month, HackerOne met with the Office of the National Cyber Director and the federal government's Chief Information Security Officer to discuss what the government should do to strengthen U.S. cybersecurity in the age of frontier AI.

Today, the Administration responded with an Executive Order - not a comprehensive AI regulatory framework, but a targeted set of directives drawing on existing cybersecurity and national security authorities.

Discovery is No Longer the Problem

For years, a primary challenge in cybersecurity was improving vulnerability discovery. Frontier AI models are now identifying vulnerabilities at a speed and scale that outpaces organizations' ability to respond. H1 Platform data shows vulnerability submissions up 92% year over year, with critical and high-severity findings climbing while remediation throughput lags by a wide margin. The constraint isn't finding vulnerabilities anymore. It's everything that comes next: validating findings, prioritizing real-world risk, coordinating disclosure, and remediating before adversaries act.

That shift is reflected throughout this order.

What's In the Executive Order

Upgrading Federal Cybersecurity

Within 30 days, agencies will issue directives to prioritize AI-enabled defense of federal civilian systems and extend access to AI-based defense tools to critical infrastructure, including rural hospitals, community banks, and local utilities. 

Key provisions:

  • Treasury, NSA, and CISA will establish a voluntary AI cybersecurity clearinghouse with industry to coordinate vulnerability discovery, remediation, and patch distribution
  • Federal budget officials will identify grant funding for advanced AI vulnerability detection
  • The government will expand cybersecurity hiring through its U.S. Tech Force initiative

Vulnerability Clearinghouse

Vulnerabilities in advanced AI systems don’t stay contained - they run through every product and service built on top of the model that carries them. The clearinghouse, led by Treasury in coordination with NSA and CISA, appears designed to address that: scanning for software vulnerabilities across federal agencies and critical infrastructure operators, coordinating mitigations, and pushing patch distribution at scale. It mirrors the AI Action Plan’s recommendation to establish an AI Information Sharing and Analysis Center. Together, they suggest the Administration is trying to build a durable coordination architecture for AI-related cyber risk - not just a one-time disclosure program.

Covered Frontier Models

Federal security and AI policy officials will establish a classified benchmarking process to designate certain advanced AI models as "covered frontier models." Developers of covered models would participate in a voluntary framework providing 30 days of government pre-public access before releasing the models to other trusted partners. The designation authority sits with the NSA, and the benchmarking methodology is classified, meaning frontier AI cyber capabilities are seen as a national security issue, not a technology or governance one. 

Criminal Enforcement

The order prioritizes federal criminal enforcement against those who illegally use AI to access or damage computer systems, directing the Attorney General to prioritize enforcement of the Computer Fraud and Abuse Act. HackerOne has long advocated for protecting good-faith security researchers from legal risk. Whether enforcement guidance includes clear safe harbors for legitimate research will matter.

What to Watch During Implementation

The 30- and 60-day timelines are tight. Three things stand out.

The clearinghouse needs legal cover to function. Participation depends on legal protections for shared information comparable to those the Cybersecurity Information Sharing Act of 2015 provides for traditional threat sharing. Extending those protections to AI vulnerability data needs to be an early implementation priority.

Coordinated disclosure is becoming national infrastructure. Vulnerability disclosure programs are no longer optional best practices - they are operational infrastructure. The clearinghouse model requires trusted channels connecting government, AI developers, critical infrastructure operators, and the security research community.

Remediation, not discovery, is the critical control point. The order’s emphasis on patch distribution and AI-enabled security tooling signals that policymakers are catching up to where the threat landscape already is. Federal agencies and critical infrastructure operators need systems that can validate findings and route remediation, not just receive reports. Grant funding aimed at building those capabilities is where implementation can have the most direct impact.

HackerOne's Approach

HackerOne has been making the same arguments for years:

  • Voluntary, collaborative frameworks between government and industry work
  • Scaling vulnerability disclosure and remediation requires resources, incentives, and accountability, including requiring vulnerability disclosure programs for federal contractors
  • The private sector must be a genuine partner in defending critical infrastructure, not an afterthought

Success in cybersecurity is no longer measured by how many vulnerabilities organizations can find. Resilience depends on how quickly findings can be validated, how accurately exploitability can be assessed, and how efficiently remediation happens. That shift has driven HackerOne to deploy new validation capabilities that combine AI-assisted analysis with human expertise to help organizations prioritize what actually needs to be fixed.

This order reflects that policymakers are beginning to recognize the same shift the security industry is already navigating. Next comes the real challenge: implementation.

Follow the HackerOne policy blog for expert insights and updates that matter to security leaders

 

The content on this page is for informational purposes only and not for the purpose of providing legal advice. The applicability of any of the information provided will vary based on your or your organization’s circumstances.

AI
Public Policy

About the Author

Ilona Cohen
Ilona Cohen
Chief Legal and Policy Officer

Ilona is HackerOne’s Chief Legal and Policy Officer, where she manages the public policy portfolio, oversees all legal matters, and provides strategic leadership to the company.