Coordinated vulnerability disclosure (CVD) is a mature discipline in software security but has no widely-adopted analog for AI-specific harms such as prompt-injection failures, training-data leakage, or model-induced bias incidents.
We propose a baseline disclosure standard that combines RFC 9116 (security.txt), ISO/IEC 29147, and the NIST AI RMF GenAI Profile, and we offer a reference template organisations can adopt today.