US launches vulnerability clearinghouse as AI-induced defects surge

AI News


The Trump administration on Tuesday announced the release A program that coordinates the security community’s use of frontier AI models to rapidly identify and remediate vulnerabilities.

The vulnerability management clearinghouse, which the administration has dubbed Gold Eagle, is a response to the rapidly increasing number of vulnerabilities discovered by AI models, and the strain that proliferation is placing on the security community. Through the clearinghouse, the government will coordinate efforts by private companies and independent researchers to scan critical software packages for flaws, fix those that surface, and deploy those fixes to end users.

With so many security experts searching for software vulnerabilities, governments are seeking to harmoniously integrate their expertise with the capabilities of the frontier AI models many of them use. The goal is to deploy national vulnerability hunters and their AI tools to the widest possible range of software, rather than a small group of vulnerability hunters focusing on the same software and repeating the same efforts, wasting valuable time and resources in an arms race with cybercriminals and nation-state adversaries.

Gold Eagle “has already begun to incorporate and prioritize identified cybersecurity vulnerabilities from all industries and sectors, adjust scan validation, and ultimately secure our nation’s software and networks.” The White House said in a statement:.

The core of the Gold Eagle program is Vulnerability Information and Coordination Environment (VINCE)operated by the government in collaboration with Carnegie Mellon University’s Software Engineering Institute. The VINCE platform allows anyone to report vulnerabilities to the Gold Eagle program for triage and mitigation.

National Cyber ​​Director Sean Cairncross told reporters at a briefing Tuesday that VINCE will enable “coordination of vulnerabilities and patching at unprecedented speed and scale.”

Gold Eagle focuses on open source software. Open source software code underpins a wide range of critical infrastructure, but is often under-vetted. Open source developers, many of whom volunteer their time to maintain their projects, say: they were overwhelmed With the large number of bug reports generated by AI, some of them are surprisingly accurate.

Open source developers are “vital partners” in the Gold Eagle program, Cairncross said, noting that their code is essential to American life.

Redundancy, liability concerns

The White House explained the Gold Eagle, which President Donald Trump ordered its creation. his June executive order AI Security is described as “a coordinated system that receives and patches cyber vulnerabilities at unprecedented speed and scale,” and that “represents a new operating model for cyber defense.”

Still, Gold Eagle comes at a time when the private sector is already creating several similar programs. The Linux Foundation is supported by Anthropic, Microsoft, and other leading technology companies. A program called Acrite Empower the open source community to identify and address vulnerabilities. Additionally, open source security vendor Chainguard has partnered with Cisco, Cloudflare, JPMorgan Chase, and other major companies. start athenaanother vulnerability tuning system focused on open source software.

These two industry-led programs include frontier AI companies and participants from Anthropic’s Project Glasswing and OpenAI’s Daybreak coalitions. The Trump administration has not disclosed which companies are participating in the Gold Eagle program, including which AI companies are contributing resources to the effort. (Anthropic says this) it will participate At government-run clearinghouses. )

Gold Eagle already has one potential obstacle looming. The company’s system for exchanging vulnerability information relies on liability protections in the Cybersecurity Information Sharing Act, enacted by Congress in February. Temporarily re-authenticated Until the end of September. The Trump administration asked lawmakers to reauthorize the program for 10 years, saying protection is essential to a strong cybersecurity collaboration ecosystem.



Source link