June 4, 2026 Open-source security company Chainguard is committing $50 million and 100 engineers to help address what it sees as a growing threat from AI-powered vulnerability discovery tools. The initiative comes just days after IBM and Red Hat announced Project Lightwell, a larger effort backed by $5 billion and 20,000 engineers aimed at strengthening open-source security.
Chainguard CEO Dan Lorenc outlined the company’s concerns in a blog post titled The Hardest Fork, arguing that the way enterprises consume open-source software is no longer sustainable in an era of advanced AI security tools.
Lorenc specifically pointed to Anthropic’s Mythos, an AI-powered code analysis system that has drawn attention for its ability to identify complex security issues. He argued that Mythos represents a fundamentally different type of threat because it can combine multiple existing vulnerabilities into more serious attack chains.
Rather than simply being a more capable scanner, Lorenc described Mythos as “a different category of threat.” He warned that AI systems can now uncover vulnerabilities at a scale that traditional coordinated disclosure processes may struggle to handle.
“A model can now find hundreds overnight in the long tail,” Lorenc wrote. “The existing system is not going to keep up.”
According to Lorenc, open-source software faces structural challenges that make the situation more difficult. Modern applications often rely on deep dependency chains, where changes to one component can affect an entire software stack. At the same time, many critical open-source projects are maintained by only a handful of volunteers.
He noted that maintainers are already dealing with large volumes of automated scanner reports and AI-generated submissions, making it harder to focus on genuine security issues.
To address the problem, Lorenc proposed what he calls a two-part approach.
The first, “Plan A,” focuses on scaling coordinated vulnerability disclosure. He argues the ecosystem needs a trusted organization capable of vetting reports, routing patches, and helping maintainers respond quickly. He said the process cannot depend on multiple groups independently submitting large volumes of reports.
Lorenc pointed to Project Glasswing as an example of the challenge, noting that it has successfully upstreamed only a small percentage of its findings.
For vulnerabilities that cannot be addressed through coordinated disclosure, Lorenc proposed a fallback option he calls a “maintainer of last resort.” Under this model, organizations could fork abandoned or unsupported open-source projects and continue maintaining them.
Open-source licenses already allow projects to be forked, but Lorenc argued the challenge now is scale. The goal would be to create infrastructure capable of maintaining thousands of projects under pressure from increasingly sophisticated threats.
Looking ahead, Lorenc outlined three possible futures for open source: doing nothing and hoping current systems work, a fragmented future where organizations maintain competing versions of critical software, or a coordinated effort to build new trust infrastructure around vulnerability disclosure and maintained forks.
Whether those efforts succeed remains uncertain, but Lorenc argued that the open-source ecosystem must begin adapting to the realities of AI-driven security research.
