It's going to be a "messy" summer for security folks, especially when it comes to fixing the open source code that underpins their organizations.That's according to Dan Lorenc, CEO and co-founder of Chainguard, a software supply-chain security company leading Athena, a newly formed coalition of about two dozen companies that wants to make the process of finding and fixing open source bugs "as easy to consume as possible." The members have committed to using AI to prevent attacks on open source software. In addition to Chainguard, other founding member companies include BNY, Cisco, Cloudflare, Corridor, DepthFirst, Docker, JPMorganChase, Kyndryl, LTM, and PwC.

Many of these member companies are also partners with Anthropic's Project Glasswing and OpenAI Daybreak, which allow them to try out the pair's most advanced bug-hunting models. The coalition accepts vulnerability findings generated by all frontier models, according to Lorenc.

Athena has already processed more than 20,000 findings and developed over 2,000 patches across 500 open source projects. In about three weeks, the coalition's first wave of bug disclosures will begin."This is going to be a messy summer for everyone," Lorenc told The Register in a phone interview."I know there's still a percentage of people who think it's all fake and marketing," he said, talking about the newest, most advanced frontier models like Anthropic's Mythos and OpenAI's GPT‑5.5‑Cyber."The stats and data we're seeing are so scary – if you just keep running scans on the same libraries and same code, it just keeps finding more [vulnerabilities]," Lorenc said. "We haven't seen that curve start to bottom out yet."Chainguard isn't part of Glasswing or Daybreak, but many of its customers and partners are. "Put yourself in the shoes of someone with Glasswing access," he said. "You get this crazy, new model that can find vulnerabilities everywhere, that no one had seen and you had missed for years with all of your other tooling. You run it on your code, and it finds tons of stuff in your first-party code, the stuff that you've written, and you fix all of that."After running Mythos Preview on all of your organization's proprietary code, imagine pointing the model at an application. Most modern apps contain a mixture of code from different sources, mostly third-party. According to Lorenc, 95 percent of the code in any of these codebases is open source.