The AI-focused executive order President Donald Trump signed last month gave the Treasury Department, the National Security Agency, and the Cybersecurity and Infrastructure Security Agency (CISA) 30 days to establish a new “AI cybersecurity clearinghouse.” The deadline passed last week.
The clearinghouse is meant to coordinate the scanning, discovery, and validation of software vulnerabilities in critical infrastructure, and then prioritize how those vulnerabilities get patched and distributed.
It’s the right problem to solve. The question now is whether what is created will actually solve it.
The risk is that urgency produces something that looks like a clearinghouse, but functions like a committee: collecting information, convening meetings, and then stalling when it gets to the hard part.
Going beyond bug discovery is mission critical
It’s counterintuitive at a moment when AI-assisted vulnerability discovery is advancing rapidly, but the hard part is no longer just finding bugs. Those of us working at the intersection of AI and cybersecurity know where the real bottleneck is. HackerOne has seen it firsthand as a launch partner in Patch the Planet, OpenAI‘s initiative to use AI to find and fix vulnerabilities in critical open-source software at internet scale. The lesson underpinning that work, and informed by more than a decade of running vulnerability disclosure programs, is consistent: AI tools can surface vulnerabilities faster than anyone can act on them. What lags behind is everything that comes after discovery: deciding which findings are real, assessing severity in context, writing and testing a fix, and getting a patch accepted and deployed by the people responsible for maintaining the affected code.
Experienced human reviewers frequently disagree with AI-assigned severity ratings, because a model cannot see a project’s threat model or operational context. Software providers, especially the many volunteer open-source maintainers that so much of today’s digital infrastructure rely upon, face a relentless queue: verify the claim, assess the importance, write the patch, coordinate disclosure. AI has accelerated the incoming volume without yet equally accelerating our people and processes’ capacity to manage it. Better bug-finding tools mean you find more bugs. The improvements that really matter are the ones that help defenders push patches out and get them deployed faster.
That lesson should sit at the center of how the clearinghouse is designed.
If the clearinghouse focuses primarily on scanning coordination, which the executive order’s text emphasizes, it risks widening that gap rather than closing it. A body that finds more vulnerabilities but cannot move them to resolution is not a security win. At national scale, it is a backlog generator.
Laying a foundation for success
The administration can get this right, but it requires building the correct infrastructure now, not layering it on later.
The clearinghouse needs to do more than coordinate scanning. It needs to actually triage the results. Its core job should be filtering reports to identify which findings are truly credible, exploitable, and consequential for critical infrastructure. Using shared validation standards and risk-based prioritization, it can determine what warrants a national response. Otherwise, it’s just automating bigger backlogs.
Second, the clearinghouse also needs to tackle something more fundamental. Defenders don’t have the resources to respond to what gets reported. Vulnerabilities in critical infrastructure often live in open-source code maintained by small teams or individuals with no formal obligation to respond to disclosures and limited capacity to act quickly. The clearinghouse should work with the National Institute of Standards and Technology (NIST) to develop guidelines for open-source maintainers on structuring repositories and workflows to speed up patch review and deployment.
These guidelines should include how to use AI-assisted patching and clarify what downstream consumers of open-source code should do to help maintainers address vulnerabilities. Federal policy should create incentives for downstream users to share responsibility for remediation through funding, engineering support, AI-assisted patch development, and procurement requirements that reward participation in coordinated vulnerability response.
Third, the clearinghouse should treat software bills of materials (SBOMs), the structured inventories of the components that make up a software product, as foundational infrastructure. SBOMs are what make it possible to trace where a vulnerable component lives across the supply chain. Without them, validated findings won’t be fixed fast enough at scale.
Finally, the clearinghouse should measure success based on what is fixed, not based on what is discovered. Agencies need to publish data on validation rates, time-to-patch, adoption of fixes, and recurring classes of vulnerabilities. These metrics help AI systems, software vendors, and policymakers to continuously improve how vulnerabilities are addressed.
Most importantly: the agencies standing up this clearinghouse should resist the temptation to build its operational model from scratch. The private sector and the open-source security community have years of experience running exactly the kind of vulnerability intake, triage, and coordinated disclosure workflows the clearinghouse needs. The executive order wisely calls for voluntary collaboration with industry. That collaboration should be structural, not advisory, embedded in how the clearinghouse operates from the start, not bolted on after the architecture is already set.
The clearinghouse can work. But the challenge is no longer finding vulnerabilities. It is building a system that can turn discoveries into action. That is how its success should be measured.

