OpenClaw, a self-hosted AI agent that rapidly became GitHub's most-starred repository, published over 200 GitHub Security Advisories (GHSAs) within three weeks, exposing a systemic gap between GHSA and CVE tracking. VulnCheck attempted to call 'DIBS' on 170 unassigned advisories in bulk, which MITRE rejected as a misuse of the coordination mechanism. The incident sparked debate in the security community about whether CVE identifiers remain necessary when GHSAs are publicly accessible. Research shows that as of 2026, only ~8% of GitHub Security Advisories have been GitHub-reviewed, and most enterprise security tooling still relies on CVE identifiers, leaving GHSA-only disclosures invisible to scanners, SBOM tools, and compliance frameworks. The episode highlights structural fragmentation in vulnerability tracking that AI-driven development is likely to amplify.
Table of contents
VulnCheck Calls DIBS on OpenClaw Vulnerabilities #GitHub Advisories Challenge CVE-Centric Tracking and Visibility #OpenClaw Disclosures Highlight Divide Over CVE Reliance #Sort: