Founding members — including BNY, Chainguard, Cisco, Cloudflare, Corridor, DepthFirst, Docker, JPMorganChase, Kyndryl, LTIMindtree, and PwC — back a coalition for the orchestrated defense of open source software that has already processed more than 20,000 findings and shipped over 2,000 patches across 500 open source projects

KIRKLAND, Wash., June 15, 2026 /PRNewswire/ — Chainguard, together with BNY, Cisco, Cloudflare, Corridor, DepthFirst, Docker, JPMorganChase, Kyndryl, LTIMindtree, and PwC, today announced Athena, an industry coalition for the orchestrated defense of open source software, built for the frontier-model era where AI systems can find serious flaws faster than anyone can patch them. Athena is operational today with more than two dozen member organizations. To date, it has processed more than 20,000 findings and generated over 2,000 patches across 500 open source projects. The first wave of disclosures begins next month.

Founding members span the full stack of the software ecosystem and include BNY, Chainguard, Cisco, Cloudflare, Corridor, DepthFirst, Docker, JPMorganChase, Kyndryl, LTIMindtree, and PwC. Many of the coalition’s submitting members surface these vulnerabilities using frontier AI programs they have access to — including Anthropic’s Project Glasswing and OpenAI’s Daybreak — and bring the resulting findings to Athena.

“The time to exploit has gone negative — exploits now land before a flaw is ever disclosed,” said Dan Lorenc, CEO and co-founder, Chainguard. “Athena’s whole job is to make the time to remediate even more negative, so the fix is already in place before the vulnerability is public. No one company can get ahead of this alone, and orchestrated defense is the only answer.”

The current system cannot keep up

Frontier AI models can now read code, reason across dependencies, and surface novel, chained zero-day vulnerabilities in open source software at machine speed — flaws that survived decades of expert review. In one recent case, a critical bug sat in media-processing code used by countless applications that automated fuzzers had run more than five million times without ever catching. The gap between a vulnerability being discovered and being exploited has collapsed from years to hours, and a growing share of exploits are weaponized before the bug is ever publicly disclosed. Coordinated disclosure was built for a world in which finding a serious flaw took weeks and the targets were few. That world is gone.

Left unaddressed, the shift pushes the industry toward fragmentation, with every cloud, vendor, and security team independently forking the same critical libraries and no shared understanding of what has actually been fixed. Athena is built as the alternative: it offers a single pipeline that pools findings, remediates them under embargo, and drives durable fixes back upstream, so a vulnerability is patched and protected before it is ever public.

Athena closes the full loop

Athena runs a shared, active platform that takes each vulnerability through its full lifecycle end to end. Within it, a clearinghouse pools and correlates findings from every member. Around that, Athena stacks independent layers of protection so that coverage exists even where a clean patch does not yet, and stays on every flaw until a durable upstream fix is in place:

• Discovery. Vetted findings are pooled from across the coalition — including frontier research programs such as Anthropic’s Project Glasswing and OpenAI’s Daybreak. Athena accepts findings generated by all frontier models.
• Pre-embargo remediation. Private forks and rebuilt, hardened versions are made available to members through Chainguard Libraries before disclosure. Findings are addressed in batches across an entire library, hardening it against whole classes of issues rather than the single bug a model happened to surface first — so it stays quiet even when a more capable model arrives.
• Continuous reconciliation. Every finding is reconciled against upstream activity throughout the embargo, catching independent discovery and keeping fixes current as projects move at head.
• Platform, network, and infrastructure mitigations. Partners that operate infrastructure, platform, network, and security layers push non-patch mitigations ahead of disclosure: detection signatures, traffic-level rules, and platform-side blocks that neutralize a flaw without the affected software ever being touched, at machine speed and broad reach.
• Detections and vendor mitigations. Cybersecurity partners add their own detections, signatures, and virtual patching as a further independent layer.
• Upstream disclosure and hard forks. The coalition drives coordinated disclosure upstream, and Chainguard hopes to work with the Linux Foundation on a coordinated Security Incident Response Team (SIRT) for open source and a maintainer of last resort program.

No single layer is complete; together, they get as close to complete as the problem allows.

A significant share of Athena’s impact is invisible by design. Because a patch only protects systems that can apply it — and much of the world’s critical infrastructure cannot patch on an attacker’s timeline — Athena’s platform-level mitigations are intended to neutralize a vulnerability across the internet before public disclosure. The same open source libraries that run inside the largest technology companies also run inside facilities such as municipal water systems and regional hospitals that have little or no dedicated security staff; those organizations are protected without taking any action, and in most cases without ever knowing there was a threat.

A coalition across the software supply chain

With more than two dozen members, Athena’s coalition spans the layers the world’s software depends on, with each participant contributing a capability the others cannot. AI vulnerability-research teams and software consumers supply pre-disclosure findings; platform, network, and infrastructure providers extend protection at the layers exploits traverse; cybersecurity vendors build detections and virtual patches; and global system integrators carry fixes into client environments at scale. The coalition will coordinate disclosure upstream, and Chainguard hopes to work with the Linux Foundation on a coordinated Security Incident Response Team (SIRT) for open source and a maintainer of last resort program.

Supporting Quotes

“Trust is at the core of what we do. Our clients count on BNY to protect what matters most, including the software behind our systems. As AI speeds up the discovery of vulnerabilities, Athena may help us identify and address risks earlier.” – Dave Robinson, Chief Information Security Officer, BNY

“For decades, Cisco has helped secure the open-source ecosystem. That work now faces new urgency; frontier AI has accelerated the vulnerability discovery cycle beyond what traditional coordinated disclosure was built to handle. Chainguard’s Athena coalition represents an important evolution, the coordination of open-source vulnerability intelligence and defense at the pace these threats demand. As this space continues to evolve, Cisco is committed to protecting customers across their infrastructure and applications, including open source. Open source powers critical infrastructure worldwide. Securing it secures all of us.” – Anthony Grieco, SVP & Chief Security & Trust Officer, Cisco

“AI has fundamentally changed the speed of vulnerability discovery, and traditional, siloed patching simply can’t keep pace. Cloudflare is already using our global network to deploy automated, traffic-level mitigations before these flaws are ever made public. This collaboration allows us to better act as an industry to neutralize threats at the ecosystem scale, protecting critical infrastructure and businesses before an attacker even has the chance to exploit a bug.” – Blake Darché, Head of Cloudforce One, Cloudflare

Availability

Athena is open to vetted organizations through an application process. Members retain control of their findings — kept private, shared with a trusted subset of the coalition, or opened to everyone. Organizations that join before the first coordinated disclosure wave next month are covered under embargo ahead of it. Interested organizations can apply or start a conversation at chainguard.dev/athena.

About Chainguard

Chainguard is the trusted source for open source. Its solutions provide engineers and AI agents with the hardened, trusted, and production-ready artifacts they rely on, so organizations can build fast while staying compliant and protecting against AI supply chain attacks. Customers include Fortune 500 enterprises and global industry leaders, including Anduril, Canva, Fortinet, Hewlett Packard Enterprise, OpenAI, Snap Inc., and Snowflake. Chainguard is venture-backed by leading investors, including Amplify, IVP, Kleiner Perkins, Lightspeed Venture Partners, Mantis VC, Redpoint Ventures, Sequoia Capital, and Spark Capital. For more information, visit: https://www.chainguard.dev/

View original content to download multimedia:https://www.prnewswire.com/news-releases/chainguard-launches-athena-the-industry-coalition-to-fix-open-source-vulnerabilities-before-attackers-can-find-them-302799984.html

SOURCE Chainguard