{"slug": "chainguard-s-new-athena-coalition-uses-ai-to-fix-open-source-flaws-before-them", "title": "Chainguard's new Athena coalition uses AI to fix open-source flaws - before attackers exploit them", "summary": "Chainguard launched the Athena coalition, a group of over two dozen companies including JPMorgan Chase and Cisco, to use AI to find and fix open-source software vulnerabilities before attackers can exploit them. The initiative aims to counter the shrinking window between vulnerability discovery and exploitation, which has collapsed from years to hours due to AI-powered attacks.", "body_md": "# Chainguard's new Athena coalition uses AI to fix open-source flaws - before attackers exploit them\n\n*Follow ZDNET: *[Add us as a preferred source](https://cc.zdnet.com/v1/otc/00hQi47eqnEWQ6T9d4QLBUc?element=BODY&element_label=Add+us+as+a+preferred+source&module=LINK&object_type=text-link&object_uuid=f272bbf2-a980-4918-a62b-ee9b80626be1&position=1&template=article&track_code=__COM_CLICK_ID__&url=https%3A%2F%2Fwww.google.com%2Fpreferences%2Fsource%3Fq%3Dzdnet.com&view_instance_uuid=752b2bbf-6ea8-40b7-a7c6-870482e29413&object_version=0e877d53-6e5a-4197-a728-2a73f4bb5247)* on Google.*\n\n### ZDNET's key takeaways\n\n- Chainguard will use AI to protect open-source code.\n- Athena pools open-source users, developers, and maintainers.\n- Others are also using AI to secure open-source code.\n\nAs everyone in IT knows, or should know anyway, [AI has opened up a new front in attacking open-source code security](https://devops.com/can-chainguard-save-open-source-software-from-mythos-can-anyone/). Hacking used to require real skill. Now, anyone with a sufficiently advanced AI model can pry open programs and infect them with AI-custom-made malware. The software company [Chainguard](https://www.chainguard.dev/), which specializes in [zero-CVE container images](https://thenewstack.io/chainguard-and-the-hunt-for-truly-zero-cve-container-images/) and [security-hardened open-source code](https://www.zdnet.com/article/how-chainguard-is-fixing-trust-in-ai-built-software/), is joining with others to beat the attackers to the punch with Athena.\n\nAs Chainguard puts it, \"The gap between [a vulnerability being discovered and being exploited has collapsed from years to hours](https://www.prnewswire.com/news-releases/chainguard-launches-athena-the-industry-coalition-to-fix-open-source-vulnerabilities-before-attackers-can-find-them-302799984.html), and a growing share of exploits are weaponized before the bug is ever publicly disclosed. Coordinated disclosure was built for a world in which finding a serious flaw took weeks, and the targets were few. That world is gone.\" Chainguard is right. It is.\n\n**Also: ****Treat your AI agents like eager but misguided human interns - before you lose control**\n\nSomething had to be done. As the company's CEO and co-founder, Dan Lorenc, wrote on LinkedIn, we had a \"choice between letting open-source security fragment into a dozen rival patch sets nobody can reconcile, or [doing the hard, coordinated thing](https://www.linkedin.com/feed/update/urn:li:activity:7472322915246485504/) instead. I said it would only work if we built it together, and admitted I had no idea if we actually would. Here's the update: the industry showed up. It's called Athena, and it's live.\"\n\nAnthony Grieco, Cisco's SVP, chief security and trust officer, agrees. \"For decades, Cisco has helped secure the open-source ecosystem. That work now faces new urgency; frontier AI has accelerated the vulnerability discovery cycle beyond what traditional coordinated disclosure was built to handle. Chainguard's Athena Coalition represents an important evolution, the coordination of open-source vulnerability intelligence and defense at the pace these threats demand.\"\n\n### Chainguard bets on AI as a defensive shield\n\nAthena comes with two parts. The first is a coalition of more than two dozen companies that will collaborate to hunt down and remediate flaws in widely used open-source software using cutting-edge AI models. Its supporters are a who's who of finance and enterprise infrastructure companies such as JPMorgan Chase, Cisco, Cloudflare, Docker, Kyndryl, and PwC.\n\n**Also: ****5 security tactics your business can't get wrong in the age of AI - and why they're critical**\n\nThese companies already face stringent regulatory and customer pressure around software supply-chain risk. The coalition gives them a way to pool data, AI capabilities, and remediation work on vulnerabilities that cut across their stacks. The aim is to shift from one-off, project-specific fixes to a coordinated model in which critical AI-identified open-source software flaws can be found and addressed before they appear in attacker playbooks.\n\n### Fixing flaws before attackers can find them\n\nTechnically, Athena's core promise is speed. It will find and patch open-source vulnerabilities \"before attackers can find them.\" Under the program, AI systems will sift through massive volumes of open-source code and dependency graphs to flag potential weaknesses so they can be validated and fixed upstream.\n\n**Also: ****5 ways to fortify your network against the new speed of AI attacks**\n\nSometimes, however, the patches aren't available as quickly as we'd want or need. To address this, Chainguard explains: \"Athena stacks independent layers of protection so that coverage exists even where a clean patch does not yet, and stays on every flaw until a durable upstream fix is in place.\"\n\nThis approach looks like this:\n\n- Discovery -- Vetted findings are pooled from across the coalition, including frontier research programs such as Anthropic's Project Glasswing and OpenAI's Daybreak. Athena accepts findings generated by all frontier models.\n- Pre-embargo remediation -- Private forks and rebuilt, hardened versions are made available to members through Chainguard Libraries before disclosure: Findings are addressed in batches across an entire library, hardening it against whole classes of issues rather than a single bug. If a model happens to surface a flaw first, it stays quiet even when a more capable model arrives.\n- Continuous reconciliation -- Every finding is reconciled against upstream activity throughout the embargo, catching independent discovery and keeping fixes current as projects move ahead.\n- Platform, network, and infrastructure mitigations -- Partners that operate infrastructure, platform, network, and security layers push non-patch mitigations ahead of disclosure: detection signatures, traffic-level rules, and platform-side blocks that neutralize a flaw without the affected software ever being touched, at machine speed and broad reach.\n- Detections and vendor mitigations -- Cybersecurity partners add their own detections, signatures, and virtual patching as a further independent layer.\n- Upstream disclosure and hard forks -- The coalition drives coordinated upstream disclosure, and Chainguard hopes to work with the Linux Foundation on a coordinated Security Incident Response Team for open source and a maintainer-of-last-resort program.\n\n**Also: ****Linus Torvalds on the AI claim that makes him angry, and what security researchers should never do**\n\nChainguard is tying the initiative directly to its secure-by-default product line, which includes SLSA Level 3-compliant builds, signed artifacts with Software Bill of Materials, minimal images, and packages rebuilt from source daily to keep vulnerability counts near zero. By feeding Athena's findings into this factory, the company says it can rapidly ship hardened containers, libraries, virtual machines (VMs), and open-source packages that incorporate fixes. Simultaneously, this gives customers a clear provenance trail for compliance regimes ranging from FedRAMP and HIPAA to the EU's Cyber Resilience Act and NIS2.\n\n### A new front in the open-source AI security race\n\nChainguard and its friends aren't the only ones trying to get everyone on the same page when it comes to securing open-source code. [IBM and Red Hat are throwing billions of dollars and thousands of engineers at the problem](https://www.zdnet.com/article/open-source-security-is-a-mess-ibm-and-red-hat-bet-5-billion-to-fix-it/).\n\nThe [Open Source Security Foundation (OpenSSF)](https://openssf.org/) is also working on [OSS-CRS](https://openssf.org/projects/oss-crs/) as a new open-source project within the AI/ML Security Working Group. This is a standard orchestration framework for building and running LLM-based autonomous bug-finding and bug-fixing systems.\n\n**Also: ****Open-source security is a mess - IBM and Red Hat bet $5 billion and 20,000 engineers can fix it**\n\nFor CISOs and regulators watching the AI security story unfold, Athena will be a test case of whether AI-augmented collaboration on open-source vulnerabilities can scale beyond marketing slogans into measurable reductions in exploitable bugs. Personally, I think Chainguard and company can pull it off.\n\nAfter all, as Lorenc pointed out, \"Athena is operational today. More than 20,000 findings processed, 2,000 patches across 500 projects, first coordinated disclosures in about a month.\"\n\nHowever, as Lorenc said, \"Will it be perfect? No, and no one should pretend otherwise. But fragmentation is worse, standing still isn't survivable, and the more of the industry that's in, the less any attacker has left to find. Join us.\" You should. If anything's going to save our code, it will be efforts like Athena.\n\n#### Featured\n\n[Editorial standards](/editorial-guidelines/)", "url": "https://wpnews.pro/news/chainguard-s-new-athena-coalition-uses-ai-to-fix-open-source-flaws-before-them", "canonical_source": "https://www.zdnet.com/article/chainguard-athena-coalition-fixes-open-source-flaws-before-ai-attackers-exploit/", "published_at": "2026-06-16 12:22:00+00:00", "updated_at": "2026-06-16 12:51:38.346445+00:00", "lang": "en", "topics": ["ai-safety", "ai-tools", "ai-products", "ai-infrastructure"], "entities": ["Chainguard", "Athena", "Dan Lorenc", "JPMorgan Chase", "Cisco", "Cloudflare", "Docker", "Kyndryl"], "alternates": {"html": "https://wpnews.pro/news/chainguard-s-new-athena-coalition-uses-ai-to-fix-open-source-flaws-before-them", "markdown": "https://wpnews.pro/news/chainguard-s-new-athena-coalition-uses-ai-to-fix-open-source-flaws-before-them.md", "text": "https://wpnews.pro/news/chainguard-s-new-athena-coalition-uses-ai-to-fix-open-source-flaws-before-them.txt", "jsonld": "https://wpnews.pro/news/chainguard-s-new-athena-coalition-uses-ai-to-fix-open-source-flaws-before-them.jsonld"}}