{"slug": "found-fast-fixed-slow-the-gap-the-ai-clearinghouse-must-close", "title": "Found fast, fixed slow: The gap the AI clearinghouse must close", "summary": "The Trump administration's AI cybersecurity clearinghouse, mandated by executive order, missed its 30-day deadline to coordinate vulnerability scanning and patching in critical infrastructure. Experts warn that without effective triage and patch deployment, the clearinghouse risks creating a backlog rather than improving security, as AI tools accelerate bug discovery but not remediation.", "body_md": "# Found fast, fixed slow: The gap the AI clearinghouse must close\n\nThe AI-focused executive order President Donald Trump [signed last month](https://cyberscoop.com/donald-trump-white-house-ai-executive-order-scaled-back/) gave the Treasury Department, the National Security Agency, and the Cybersecurity and Infrastructure Security Agency (CISA) 30 days to establish a new “AI cybersecurity clearinghouse.” The deadline passed last week.\n\nThe clearinghouse is meant to coordinate the scanning, discovery, and validation of software [vulnerabilities](https://cyberscoop.com/tag/vulnerabilities/) in critical infrastructure, and then prioritize how those vulnerabilities get patched and distributed.\n\nIt’s the right problem to solve. The question now is whether what is created will actually solve it.\n\nThe risk is that urgency produces something that looks like a clearinghouse, but functions like a committee: collecting information, convening meetings, and then stalling when it gets to the hard part.\n\n#### Going beyond bug discovery is mission critical\n\nIt’s counterintuitive at a moment when [AI](https://cyberscoop.com/tag/artificial-intelligence-ai/)-assisted vulnerability discovery is advancing rapidly, but the hard part is no longer just finding bugs. Those of us working at the intersection of AI and cybersecurity know where the real bottleneck is. HackerOne has seen it firsthand as a launch partner in [Patch the Planet](https://www.hackerone.com/blog/patch-the-planet-open-source-security), [OpenAI](https://cyberscoop.com/tag/openai/)‘s initiative to use AI to find and fix vulnerabilities in critical open-source software at internet scale. The lesson underpinning that work, and informed by more than a decade of running vulnerability disclosure programs, is consistent: AI tools can surface vulnerabilities faster than anyone can act on them. What lags behind is everything that comes after discovery: deciding which findings are real, assessing severity in context, writing and testing a fix, and getting a [patch](https://cyberscoop.com/tag/patching/) accepted and deployed by the people responsible for maintaining the affected code.\n\nExperienced human reviewers frequently disagree with AI-assigned severity ratings, because a model cannot see a project’s threat model or operational context. Software providers, especially the many volunteer [open-source](https://cyberscoop.com/tag/open-source/) maintainers that so much of today’s digital infrastructure rely upon, face a relentless queue: verify the claim, assess the importance, write the patch, coordinate disclosure. AI has accelerated the incoming volume without yet equally accelerating our people and processes’ capacity to manage it. Better bug-finding tools mean you find more bugs. The improvements that really matter are the ones that help defenders push patches out and get them deployed faster.\n\nThat lesson should sit at the center of how the clearinghouse is designed.\n\nIf the clearinghouse focuses primarily on scanning coordination, which the executive order’s text emphasizes, it risks widening that gap rather than closing it. A body that finds more vulnerabilities but cannot move them to resolution is not a security win. At national scale, it is a backlog generator.\n\n#### Laying a foundation for success\n\nThe administration can get this right, but it requires building the correct infrastructure now, not layering it on later.\n\nThe clearinghouse needs to do more than coordinate scanning. It needs to actually triage the results. Its core job should be filtering reports to identify which findings are truly credible, exploitable, and consequential for [critical infrastructure](https://cyberscoop.com/tag/critical-infrastructure/). Using shared validation standards and risk-based prioritization, it can determine what warrants a national response. Otherwise, it’s just automating bigger backlogs.\n\nSecond, the clearinghouse also needs to tackle something more fundamental. Defenders don’t have the resources to respond to what gets reported. Vulnerabilities in critical infrastructure often live in open-source code maintained by small teams or individuals with no formal obligation to respond to disclosures and limited capacity to act quickly. The clearinghouse should work with the [National Institute of Standards and Technology (NIST)](https://cyberscoop.com/tag/NIST/) to develop guidelines for open-source maintainers on structuring repositories and workflows to speed up patch review and deployment.\n\nThese guidelines should include how to use AI-assisted patching and clarify what downstream consumers of open-source code should do to help maintainers address vulnerabilities. Federal policy should create incentives for downstream users to share responsibility for remediation through funding, engineering support, AI-assisted patch development, and procurement requirements that reward participation in coordinated vulnerability response.\n\nThird, the clearinghouse should treat [software bills of materials (SBOMs)](https://cyberscoop.com/tag/sbom/), the structured inventories of the components that make up a software product, as foundational infrastructure. SBOMs are what make it possible to trace where a vulnerable component lives across the supply chain. Without them, validated findings won’t be fixed fast enough at scale.\n\nFinally, the clearinghouse should measure success based on what is fixed, not based on what is discovered. Agencies need to publish data on validation rates, time-to-patch, adoption of fixes, and recurring classes of vulnerabilities. These metrics help AI systems, software vendors, and policymakers to continuously improve how vulnerabilities are addressed.\n\nMost importantly: the agencies standing up this clearinghouse should resist the temptation to build its operational model from scratch. The private sector and the open-source security community have years of experience running exactly the kind of vulnerability intake, triage, and coordinated disclosure workflows the clearinghouse needs. The executive order wisely calls for voluntary collaboration with industry. That collaboration should be structural, not advisory, embedded in how the clearinghouse operates from the start, not bolted on after the architecture is already set.\n\nThe clearinghouse can work. But the challenge is no longer finding vulnerabilities. It is building a system that can turn discoveries into action. That is how its success should be measured.", "url": "https://wpnews.pro/news/found-fast-fixed-slow-the-gap-the-ai-clearinghouse-must-close", "canonical_source": "https://cyberscoop.com/ai-executive-order-cybersecurity-clearinghouse-vulnerability-patching-gap/", "published_at": "2026-07-08 09:00:00+00:00", "updated_at": "2026-07-08 09:02:48.047141+00:00", "lang": "en", "topics": ["ai-safety", "ai-policy"], "entities": ["Treasury Department", "National Security Agency", "CISA", "HackerOne", "OpenAI", "Donald Trump"], "alternates": {"html": "https://wpnews.pro/news/found-fast-fixed-slow-the-gap-the-ai-clearinghouse-must-close", "markdown": "https://wpnews.pro/news/found-fast-fixed-slow-the-gap-the-ai-clearinghouse-must-close.md", "text": "https://wpnews.pro/news/found-fast-fixed-slow-the-gap-the-ai-clearinghouse-must-close.txt", "jsonld": "https://wpnews.pro/news/found-fast-fixed-slow-the-gap-the-ai-clearinghouse-must-close.jsonld"}}