Over two dozen fintech and technology organizations have formed a coalition to secure open source software (OSS) from accelerated, AI-driven exploitation.
Named Athena, it has gathered industry leaders such as BNY, Chainguard, Cisco, Cloudflare, Corridor, DepthFirst, Docker, JPMorganChase, Kyndryl, LTM, PwC, and more, under a shared goal: to find vulnerabilities in OSS and to triage, fix, and protect against their exploitation even before patches arrive.
Each member adds capability that others cannot provide, ranging from pre-disclosure findings to extended protections across layers the exploits traverse, security patches, and means to deliver fixes at scale.
Athena relies on a shared, active platform that stacks multiple layers of protection, pooling and correlating findings from each member, to provide coverage until an upstream fix is available.
By design, a significant part of Athena’s impact is invisible, as mitigations are meant to address weaknesses before they become public knowledge, to protect libraries that are widely used across tech companies’ products and critical infrastructure systems.
Athena accepts findings from all members, including frontier models, with patches rolling out to member organizations before public disclosure, through Chainguard Libraries. Vulnerabilities are fixed in batches across an entire library to eliminate the entire class of issues rather than a single identified flaw.
Findings are reconciled against upstream activity to keep patches current, and non-patch mitigations are pushed ahead of disclosure across infrastructure, platform, network, and security layers, to neutralize security defects with broad reach.
A further independent layer is added through detections, signatures, and virtual patches provided by cybersecurity partners.
The coalition coordinates public disclosure upstream, and Chainguard hopes to partner with the Linux Foundation on a coordinated Security Incident Response Team (SIRT) for OSS and a maintainer of last resort program.
Vetted organizations can join Athena through an application process on the coalition’s website. Members can share findings with a trusted subset of the coalition or with all members.
Athena was created in response to the use of AI to accelerate cyberattacks: with frontier models capable of reading code, reasoning, and chaining flaws in minutes or hours, patching needs to be delivered at machine speed.
“The time to exploit has gone negative – exploits now land before a flaw is ever disclosed. Athena’s whole job is to make the time to remediate even more negative, so the fix is already in place before the vulnerability is public. No one company can get ahead of this alone, and orchestrated defense is the only answer,” said Chainguard CEO and co-founder Dan Lorenc.
Related: NPM 12 Will Change Script Execution Behavior to Prevent Supply Chain Attacks
Related: OWASP Incubator Project Helps Developers Find and Fix Vulnerable Dependencies in Seconds
Related: Global Coalition Publishes 6G Security and Resilience Principles
Related: IBM and Red Hat Commit $5 Billion to Secure Open Source Supply Chains Under “Project Lightwell”
