Press ReleaseArtificial IntelligenceCloud Security

Chainguard Adds New Members to Athena Coalition as Coordinated Open Source Defense Scales

Chainguard's Industry Coalition Reports 40,000 Findings Processed

Chainguard today announced the expansion of Athena, the industry coalition for the orchestrated defense of open source software, adding new members, including Akamai, Black Duck, Cycode, JFrog, Morgan Stanley, Qualys, Upwind, and Zafran. The company also shared updated figures on the volume and severity of vulnerabilities the coalition has processed since launching three weeks ago.

To date, Athena has processed more than 40,000 vulnerabilities, doubling its intake since launching three weeks ago. Of vulnerabilities submitted so far, 42% are critical- or high-severity. While significant, the number understates the real exposure, as frontier AI models can chain low- and medium-severity bugs into more serious attacks that no single CVSS score captures. Additionally, 86% are network-reachable, meaning they can be accessed and triggered by attackers at the network level. About 7% sit in packages more than five years old. These are latent flaws in mature, widely trusted dependencies that survived extensive expert review without detection.

“Frontier models are finding zero-days in open source faster than anyone can respond—the time from discovery to exploitation is now measured in hours, and no one company is going to get ahead of that alone. Athena proves that orchestrated defense works,” said Dan Lorenc, CEO and Co-founder, Chainguard. “The volume and severity of what Athena is already finding make clear just how much depends on getting this right. The more of the ecosystem that joins, the less room attackers have to operate.”

A Growing Coalition for Open Source Defense

Athena’s expansion reflects growing industry recognition that open source vulnerabilities require a coordinated response. New members joining Athena’s founding partners include Akamai, Black Duck, Cycode, JFrog, Morgan Stanley, Qualys, Upwind, and Zafran.

Athena’s partners work across the coalition’s defence pipeline: findings are pooled and de-duplicated, hardened fixes are built under embargo, partners stack non-patch protection around them, silent fixes are surfaced to exposed downstream users, and durable fixes are driven upstream to maintainers.

How the Coalition Protects Users Before a Patch Ships

Open source vulnerabilities do not respect organisational boundaries, and a patch that exists but cannot be deployed in time offers little protection. As part of its growing membership, Athena has expanded its cyber partner network, making cyber the largest cohort of partners in the coalition. Cyber partners receive a dedicated pre-disclosure feed and use it to build mitigations at the network, endpoint, and traffic layers that hold even before a clean patch exists or can be deployed. They also help surface “silent” vulnerabilities, or vulnerabilities that are fixed upstream but never assigned a CVE, that conventional scanning tools generally miss.

“Defending digital infrastructure in the age of AI requires a rapid, unified response,” said Boaz Gelbord, Chief Security Officer, Akamai. “Athena allows us to protect customers with pre-embargo hardened software and platform-level mitigations before vulnerabilities can be exploited.”

“Frontier AI models are not only discovering thousands of zero days, but also chaining vulnerabilities together to exploit existing ones at machine speed, collapsing the gap between discovery and exploitation from weeks to hours. In this new reality, the era of ‘scan and hope’ is definitively over. Attackers are actively weaponising the trusted models and agentic tools driving today’s development,” said Gal Marder, Chief Strategy Officer, JFrog. “By joining Athena’s orchestrated defense coalition, JFrog is committed to helping organisations bridge the dangerous gap between an AI-discovered vulnerability and remediation in production. We provide the single source of truth for all software assets, which enables fully automated updates of patched components at scale, and full governance of the entire remediation process of every binary component, using any packaging technology in any environment.”

“As consistent contributors to open-source vulnerability research and disclosure, Qualys welcomes the invitation to participate in Chainguard’s Athena coalition and secure open-source software by safely validating the exploitability of vulnerabilities with our technology,” said Dilip Bachwani, Chief Technology Officer, Qualys. “We believe creating a safer digital future is a shared industry responsibility. This builds on our ongoing work to help customers, partners, and stakeholders prepare for a future where vulnerability discovery and remediation pressure move faster than ever.”

“AI is fundamentally changing the pace of vulnerability discovery, making coordinated defense more important than ever. By joining Athena, Upwind is bringing pre-disclosure vulnerability intelligence together with runtime visibility, helping organisations identify affected workloads and reduce the window between discovery and defence. Protecting the open source ecosystem is a shared responsibility, and we’re proud to contribute Upwind’s runtime intelligence to strengthen the coalition and improve visibility for the entire community,” said Tomer Hadassi, COO, Upwind.

Every partner closes a gap, and the more layers the coalition covers, the less time an attacker has to operate before a flaw becomes public.

Akrites: The Importance of Driving Fixes Upstream

Pre-disclosure protection buys time, but the goal is to land a durable fix in the upstream codebase. To close that loop, Chainguard has joined Akrites, the Linux Foundation’s coordinated effort to remediate and disclose open source vulnerabilities upstream. Once a fix is built, shielded, and surfaced, Athena hands the finding to Akrites, which operates a shared Security Incident Response Team (SIRT) and a single standardised disclosure process, so maintainers receive notifications from a single trusted partner rather than a flood of overlapping reports. For critical packages with no active maintainer, Akrites serves as a maintainer of last resort.

CSA Editorial

Launched in Jan 2018, in partnership with Cyber Security Malaysia (an agency under MOSTI). CSA is a news and content platform focusing on key issues in cybersecurity in the region. CSA is targeted to serve the needs of cybersecurity professionals, IT professionals, Risk professionals and C-Levels who have an obligation to understand the impact of cyber threats.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *