AI is finding vulnerabilities faster than anyone can patch them — coalitions scramble to respond

The security industry is facing what some are calling a “vulnpocalypse.” Frontier AI models, including Anthropic’s Mythos and OpenAI’s GPT-5.5-Cyber, are discovering vulnerabilities in open-source software at a rate and depth that human auditors could never match, collapsing the time between discovery and exploitation to near zero.

“It’s looking like a hot, messy summer for security teams,” wrote The Register’s Jessica Lyons, quoting Chainguard CEO Dan Lorenc: “The stats and data we’re seeing are so scary, if you just keep running scans on the same libraries and same code, it just keeps finding more. We haven’t seen that curve start to bottom out yet.”

Two major industry coalitions have formed in response.

Athena Coalition

Athena, launched by Chainguard in mid-June, pools vulnerability findings from across the industry and runs them through a coordinated remediation pipeline. Founding members include BNY, Cisco, Cloudflare, Docker, JPMorganChase, Kyndryl, and PwC.

The coalition has already processed more than 20,000 findings, developed over 2,000 patches across 500 open-source projects, and plans its first wave of coordinated public disclosures within weeks. The pipeline works on a pre-embargo model: members submit vulnerability findings from any frontier model, Chainguard acts as a clearinghouse to deduplicate and correlate findings, and hardened versions of affected libraries are privately distributed to members before public disclosure. If upstream maintainers cannot or will not patch, Athena acts as “maintainer of last resort,” keeping forks alive permanently.

“The time to exploit has gone negative, exploits now land before a flaw is ever disclosed,” Lorenc said. “Athena’s whole job is to make the time to remediate even more negative, so the fix is already in place before the vulnerability is public.”

Akrites Coalition

The Linux Foundation launched Akrites on June 25, backed by more than 20 founding organizations including Amazon Web Services, Anthropic, Cisco, Google, IBM, Microsoft and GitHub, NVIDIA, OpenAI, Red Hat, the Rust Foundation, and JPMorganChase. Where Athena focuses on operational remediation, Akrites establishes a shared Security Incident Response Team (SIRT) and a standardized Coordinated Vulnerability Disclosure (CVD) process.

Akrites aims to prevent a fragmented patch landscape in which dozens of companies independently analyze the same software, flooding maintainers with duplicate reports and conflicting fixes. “Without coordination, those fixes will fragment across different patches and forks,” Lorenc told The Register.

The scale of the problem

Anthropic’s Project Glasswing, which grants pre-release access to Mythos for vulnerability research, reported finding 6,202 high- and critical-severity vulnerabilities across more than 1,000 open-source projects in May alone. OpenAI’s Daybreak initiative operates on a similar model. Among the discoveries was “Squidbleed,” a memory leak in widely deployed code that had gone undetected since the 1990s.

The challenge is structural: 95 percent of code in any modern application is open source. When AI models find flaws in third-party libraries, application security teams cannot simply fix the code themselves. They must coordinate with upstream maintainers, many of whom are overworked, unreachable, or have abandoned the project entirely.

“For those that can’t, Athena patches permanently.”

“The time to exploit has gone negative, exploits now land before a flaw is ever disclosed.”

“The stats, you just keep running scans on the same libraries and same code, it just keeps finding more.”

Sources: It’s looking like a hot, messy summer for security teams as AI finds countless previously hidden vulns (The Register, June 27, 2026); Chainguard Launches Athena (Chainguard, June 15, 2026); Akrites Launch (Linux Foundation, June 25, 2026)

Scroll to Top