Chainguard Adds New Members to Athena Coalition as Coordinated Open Source Defense Scales
Canada NewsWire
KIRKLAND, Wash., July 7, 2026
Chainguard's industry coalition reports 40,000 findings processed
KIRKLAND, Wash., July 7, 2026 /CNW/ -- Chainguard today announced the expansion of Athena, the industry coalition for the orchestrated defense of open source software, adding new members, including Akamai, Black Duck, Cycode, JFrog, Morgan Stanley, Qualys, Upwind, and Zafran. The company also shared updated figures on the volume and severity of vulnerabilities the coalition has processed since launching three weeks ago.
To date, Athena has processed more than 40,000 vulnerabilities, doubling its intake since launching three weeks ago. Of vulnerabilities submitted so far, 42% are critical- or high-severity. While significant, the number understates the real exposure, as frontier AI models can chain low- and medium-severity bugs into more serious attacks that no single CVSS score captures. Additionally, 86% are network reachable, meaning they can be accessed and triggered by attackers at the network level. About 7% sit in packages more than five years old. These are latent flaws in mature, widely trusted dependencies that survived extensive expert review without detection.
"Frontier models are finding zero-days in open source faster than anyone can respond with discovery to exploitation is now measured in hours, and no one company is going to get ahead of that alone. Athena proves that orchestrated defense works," said Dan Lorenc, CEO and Co-founder, Chainguard. "The volume and severity of what Athena is already finding make clear just how much depends on getting this right. The more of the ecosystem that joins, the less room attackers have to operate."
A growing coalition for open source defense
Athena's expansion reflects growing industry recognition that open source vulnerabilities require a coordinated response. New members joining Athena's founding partners include Akamai, Black Duck, Cycode, JFrog, Morgan Stanley, Qualys, Upwind, and Zafran.
Athena's partners work across the coalition's defense pipeline: findings are pooled and de-duplicated, hardened fixes are built under embargo, partners stack non-patch protection around them, silent fixes are surfaced to exposed downstream users, and durable fixes are driven upstream to maintainers.
How the coalition protects users before a patch ships
Open source vulnerabilities do not respect organizational boundaries, and a patch that exists but cannot be deployed in time offers little protection. As part of its growing membership, Athena has expanded its cyber partner network, making cyber the largest cohort of partners in the coalition. Cyber partners receive a dedicated pre-disclosure feed and use it to build mitigations at the network, endpoint, and traffic layers that hold even before a clean patch exists or can be deployed. They also help surface "silent" vulnerabilities, or vulnerabilities that are fixed upstream but never assigned a CVE, that conventional scanning tools generally miss.
"Defending digital infrastructure in the age of AI requires a rapid, unified response," said Boaz Gelbord, Chief Security Officer, Akamai. "Athena allows us to protect customers with pre-embargo hardened software and platform-level mitigations before vulnerabilities can be exploited."
"Frontier AI models are not only discovering thousands of zero days, but also chaining vulnerabilities together to exploit existing ones at machine speed, collapsing the gap between discovery and exploitation from weeks to hours. In this new reality, the era of 'scan and hope' is definitively over. Attackers are actively weaponizing the trusted models and agentic tools driving today's development," said Gal Marder, Chief Strategy Officer, JFrog. "By joining Athena's orchestrated defense coalition, JFrog is committed to helping organizations bridge the dangerous gap between an AI-discovered vulnerability and remediation in production. We provide the single source of truth for all software assets which enables fully-automated updates of patched components at scale, and full governance of the entire remediation process of every binary component, using any packaging technology in any environment."
"As consistent contributors to open-source vulnerability research and disclosure, Qualys welcomes the invitation to participate in Chainguard's Athena coalition and secure open-source software by safely validating the exploitability of vulnerabilities with our technology," said Dilip Bachwani, chief technology officer, Qualys. "We believe creating a safer digital future is a shared industry responsibility. This builds on our ongoing work to help customers, partners, and stakeholders prepare for a future where vulnerability discovery and remediation pressure move faster than ever."
"AI is fundamentally changing the pace of vulnerability discovery, making coordinated defense more important than ever. By joining Athena, Upwind is bringing pre-disclosure vulnerability intelligence together with runtime visibility, helping organizations identify affected workloads and reduce the window between discovery and defense. Protecting the open source ecosystem is a shared responsibility, and we're proud to contribute Upwind's runtime intelligence to strengthen the coalition and improve visibility for the entire community," said Tomer Hadassi, COO, Upwind.
Every partner closes a gap, and the more layers the coalition covers, the less time an attacker has to operate before a flaw becomes public.
Akrites: the importance of driving fixes upstream
Pre-disclosure protection buys time, but the goal is to land a durable fix in the upstream codebase. To close that loop, Chainguard has joined Akrites, the Linux Foundation's coordinated effort to remediate and disclose open source vulnerabilities upstream. Once a fix is built, shielded, and surfaced, Athena hands the finding to Akrites, which operates a shared Security Incident Response Team (SIRT) and a single standardized disclosure process, so maintainers receive notifications from a single trusted partner rather than a flood of overlapping reports. For critical packages with no active maintainer, Akrites serves as a maintainer of last resort.
Joining the coalition to defend open source
The open source ecosystem is too large and too critical for any single organization to defend alone. Athena is built for the organizations that want to do more than react. Organizations that find vulnerabilities can submit them to the coalition for carry-through to a durable upstream fix. Organizations that build detections or mitigations, or carry fixes into real environments at scale, can become cyber partners and join the feed. Learn more at chainguard.dev/athena.
About Athena
Athena is the industry coalition for the orchestrated defense of open source software. Frontier AI models can now find novel, chained zero-day vulnerabilities in open source at machine speed, and the gap between discovery and exploitation has collapsed from years to hours. Athena closes the loop from vulnerability discovery through pre-embargo remediation to layered, defense-in-depth protection: pooling findings from across the coalition, building hardened fixes under embargo, stacking independent mitigations at the network, endpoint, and mission layers, and driving durable fixes upstream to maintainers. Members include leading global organizations, such as BNY, Chainguard, Cisco, Cloudflare, JPMorganChase, Morgan Stanley, PwC, and more, spanning submitters, platform and network providers, cybersecurity vendors, and global professional services. Learn more at chainguard.dev/athena.
About Chainguard
Chainguard is the trust layer for open source software. Its solutions provide engineers and AI agents with the hardened, trusted, and production-ready artifacts they rely on, so organizations can build fast while staying compliant and protecting against AI supply chain attacks. Customers include Fortune 500 enterprises and global industry leaders, including Anduril, Canva, Fortinet, Hewlett Packard Enterprise, OpenAI, Snap Inc., and Snowflake. Chainguard is venture-backed by leading investors, including Amplify, IVP, Kleiner Perkins, Lightspeed Venture Partners, Mantis VC, Redpoint Ventures, Sequoia Capital, and Spark Capital. For more information, visit: https://www.chainguard.dev/
View original content to download multimedia:https://www.prnewswire.com/news-releases/chainguard-adds-new-members-to-athena-coalition-as-coordinated-open-source-defense-scales-302818937.html
SOURCE Chainguard
