admin The initiative brings together BNY, Cisco, Cloudflare, Corridor, DepthFirst, Docker, JPMorganChase, Kyndryl, LTM and PwC, with Chainguard acting as the coordinating platform. Athena is already operational with more than two dozen participating organisations, having processed over 20,000 vulnerability findings and generated more than 2,000 patches across 500 open-source projects. Its first coordinated disclosure wave is scheduled for July.
The move marks a shift in software security practice from disclosure-led patching to pre-embargo defence. Traditional coordinated disclosure was built around a slower sequence: a flaw is found, maintainers are notified, a patch is prepared, an advisory is published and users are expected to update. Athena is designed for a faster environment in which advanced AI models can read large codebases, trace dependencies and identify chained zero-day vulnerabilities before many maintainers or vendors can respond.
Chainguard chief executive and co-founder Dan Lorenc said the exploit window has changed sharply. “The time to exploit has gone negative — exploits now land before a flaw is ever disclosed,” he said. “Athena’s whole job is to make the time to remediate even more negative, so the fix is already in place before the vulnerability is public. No one company can get ahead of this alone, and orchestrated defence is the only answer.”
Athena will collect vetted findings from member organisations, including those produced through frontier AI security programmes such as Anthropic’s Project Glasswing and OpenAI’s Daybreak. The coalition then deduplicates reports, enriches them with technical context, traces when a weakness entered the code, checks whether the flaw has already been repaired upstream and identifies related patterns across other projects.
The platform’s most sensitive work happens before public disclosure. Affected projects can be rebuilt as private, hardened versions and made available to members through Chainguard Libraries while an embargo remains in place. The coalition also intends to harden entire libraries against classes of flaws rather than treating each AI-discovered bug as an isolated defect. That approach is aimed at preventing a stronger model or a malicious actor from finding the next variant in the same code path.
Network and platform partners have a central role because many organisations cannot patch critical systems within hours. Athena’s model allows infrastructure providers and security vendors to prepare traffic-level rules, detection signatures, virtual patches and platform-side blocks before details become public. The aim is to reduce exploitation risk even where a clean software patch is not yet deployed.
The coalition is also seeking to avoid a fragmented response in which cloud providers, software vendors and security teams privately fork the same libraries with separate patch sets. That fragmentation can leave no shared record of what has been fixed, where fixes have diverged and which systems remain exposed. Athena’s clearinghouse structure is intended to create a common technical pipeline while allowing members to retain control over what they share and on which embargo timeline.
The timing is significant for banks and large enterprises, which depend heavily on open-source components across payment systems, trading platforms, cloud infrastructure, artificial intelligence tools and internal development pipelines. Commercial software audits show that open-source code now makes up a majority of modern codebases, while dependency chains have become deeper and harder to monitor. Security teams are also dealing with a sharp rise in malicious packages across public registries, where attackers target developers, build tools and credentials rather than only finished applications.
BNY chief information security officer Dave Robinson said trust in underlying software had become a direct operational issue. “Our clients count on BNY to protect what matters most, including the software behind our systems. As AI speeds up the discovery of vulnerabilities, Athena may help us identify and address risks earlier,” he said.
