Back to Feed
Threat IntelligenceJul 9, 2026

Summer of Clearinghouses

Chainguard launches Athena, a vulnerability clearinghouse, amid a surge of AI-discovered flaws.

Summary

Chainguard has launched Athena, a new vulnerability clearinghouse, distinguishing itself by being operational before its announcement. The company highlights that the clearinghouse itself is less critical than the 'factory' – the automated process of rebuilding, testing, and signing software artifacts with fixes. This development comes amidst a broader trend of clearinghouse announcements and a surge in pre-disclosure vulnerabilities discovered by AI models, impacting open-source software.

Full text

Summer of Clearinghouses The Hacker NewsJul 09, 2026AI Security / Application Security Everyone seems to have announced a clearinghouse over the past few weeks. We did too. Ours is called Athena, and the main thing that sets it apart is that it was already real and running when we announced it — built quietly months earlier, heads down, taking findings and shipping fixes, because customers kept asking us to. We only announced it now because everyone else started announcing theirs, and staying quiet started to look like something it wasn't. The others arrived louder and, as far as anyone outside the press releases could tell, didn't exist yet. Here's the part none of those announcements will tell you: the clearinghouse is the least important thing to build. When a project we'd deliberately kept private, a five-billion-dollar press release, and the White House all reach for the same word inside a few weeks, that's not a trend. Trends are optional. This is the shape of a problem changing under everyone at once. So let me explain why these things are appearing, why most of them won't matter, and why the few that do are quietly racing to put themselves out of business. A clearinghouse is just data Clearinghouses aren't new to open source. We've had them for decades. The NVD is a clearinghouse. So is the GitHub Advisory Database, and OSV, and every security feed you've ever pulled from. Every vendor with a vulnerability portal is running one too, scoped to its own software. They are all the same thing: a pool of vulnerability data with a front door. The "clearinghouses" being announced this summer aren't a new species, but they do pool a new kind of data: pre-disclosure vulnerabilities scattered across the long tail of open source. Some in critical projects, some in tiny ones nobody's heard of; some at the latest version, some at whatever older release happened to be running. It amounts to the least organized but most thorough security research project ever assembled. And because of the Unix process model, they all matter the same: a flaw in the most obscure dependency runs with the exact same privileges as the application that loaded it, so the smallest leaf in the tree can hand over the whole process. If the pool isn't new, the pool isn't the story. The pool was never the point Data is inert. A finding sitting in a database has never patched anything. The value, the part that has always been hard, is actuation: turning that finding into a rebuilt, tested, signed artifact, backported into the version you're actually running, sitting in the registry your tooling already points at. Not "here's an advisory, good luck." A fix, where you'll consume it, before you go looking for it. This is the part Chainguard has done for years, sitting downstream of every public clearinghouse there is. Our build system watches thousands of open source projects and reacts the moment an advisory lands: fetch, rebuild from source, test, sign. Most CVEs are remediated in roughly two days, and the overwhelming majority never touch a human hand. We hold a one-day SLA on the vulnerabilities CISA says are actively exploited. We've remediated well over 100,000 of them. The clearinghouse data was always the input. The factory was the product. Which is exactly why Athena is the least important thing we built. We already had the factory. A clearinghouse is just a new front door to it. A few months ago, when the people running the frontier model programs asked us to start doing this for non-public vulnerabilities, that's all it was. Same machine. New pipe. The flood is a byproduct Forget the clearinghouses for a second: why is there suddenly a flood of private vulnerabilities in open source, and why is everyone scanning the same code? The answer is that nobody set out to. It's a byproduct. The best way to get a real signal out of a model like Mythos isn't to point it at a file and ask politely. It's to put it in front of a running application — the thing actually executing, a debugger attached, a sandbox to play in, the source in context — and hand it a vague, adversarial prompt. "Break this." And it does. It finds the flaws in your first-party code, and those you just fix. You own that code. You don't need a clearinghouse to patch yourself. But almost none of a real application is your code. The overwhelming majority is open source, a lot of it is out of date, and the model does not care about the line between what you wrote and what you imported. It chains across the entire surface. The exploit it hands you doesn't stop at your border. It runs straight through some dependency three layers down that you've never heard of, and nobody has maintained in years. That artifact — a live working exploit for code that isn't yours to fix — is the thing with nowhere to go. That is what every one of these clearinghouses is actually a response to. It also explains the data's two strange properties at once: it's private because it's a loaded weapon, and it lands on a shared target, because the few dozen libraries that show up in everyone's apps are exactly the few dozen libraries every one of these models is now crawling over. The findings themselves barely overlap. But the code they surface in does. That concentration decides the next question. A few large ones How many of these should exist? Start with the thing that makes the timing brutal. The mean time to exploit is now estimated at negative seven days. Across the vulnerabilities weaponized last year, exploitation started, on average, a full week before the patch was even public. That number used to be sixty-plus days. It crossed zero in 2024. Mandiant, Google, and CrowdStrike all tell the same story — CrowdStrike puts it at 42% of exploited vulnerabilities hit before public disclosure. The attacker is no longer racing the patch; the attacker is finishing before the patch begins. And when there is a patch, the patch is the map. A published fix is a diff that points straight at the bug. In our own experiments, we've watched an advisory become a working exploit, with no public proof-of-concept to crib from, in under an hour. Disclosure is the starting gun, and you fire it at yourself. So the entire game becomes: how much of the world is already protected at the instant disclosure happens? It can't be everyone. The fix is the map, so pre-disclosure protection extends exactly as far as the people you can vet and hold to an embargo. But it can be a lot of people, and from there, if you move quickly and carefully, you can protect a lot more the instant the embargo lifts. And that is a question of scale. Bigger pools win, for four reasons that compound. The findings rarely overlap, but they pile onto the same few dozen libraries that sit in everyone's stack — so a bigger pool maps that shared handful more completely than any single team could alone. Every fix to one of those libraries protects every member who depends on it, so coverage compounds with membership faster than attackers can outrun it. Scale buys leverage upstream, too: a volunteer maintainer engages with one recognized security team, not thirty strangers. And scale buys orchestration reach, because you can only fire the layers that are in the room — no CDN, no network rule; no security vendors, no detection content; no one touching production, no backport. There's a quieter reason: a channel full of unembargoed exploits is the single most valuable target in the ecosystem, and only a well-funded operation can defend it to the bar that requires. A thin one isn't a smaller version of the same thing. It's a skeleton key. But it was never going to be one. The fear of a monoculture is real and rational — one pool holding everyone's pre-disclosure exploits is a skeleton key for the whole internet, and nobody should be comfortable with that, including whoever holds it. Regulators aren't: APRA, Australia's banking regulator, tells its banks to move at AI speed and manage concentration risk in t

Entities

Athena (product)Chainguard (vendor)AI (technology)open source (technology)