The Trump administration on Tuesday announced the launch of a program that will coordinate the security community’s use of frontier AI models to rapidly identify and fix vulnerabilities.
The vulnerability management clearinghouse, which the administration is calling Gold Eagle, is a response to the skyrocketing number of vulnerabilities that AI models are finding and the strain that that surge is placing on the security community. Through the clearinghouse, the government will coordinate efforts by private companies and independent researchers to scan critical software packages for flaws, fix any flaws that surface and deploy those fixes to end users.
With so many security experts looking for software vulnerabilities, the government is trying to marshal their expertise — and the capabilities of the frontier AI models that many of them are using — in a harmonized way. The goal is to deploy the nation’s vulnerability hunters and their AI tools across the widest possible range of software, rather than see some of them duplicate their efforts by focusing on the same software, squandering precious time and resources in the arms race against cybercriminals and nation-state adversaries.
Gold Eagle “has already begun to intake and prioritize identified cybersecurity vulnerabilities from across industries and sectors, coordinate scanning verifications, and ultimately ensure the security of our nation’s software and networks,” the White House said in a statement.
The core of the Gold Eagle program is the Vulnerability Information and Coordination Environment (VINCE), which the government is operating in partnership with Carnegie Mellon University’s Software Engineering Institute. The VINCE platform will allow anyone to report vulnerabilities to the Gold Eagle program for triage and mitigation.
VINCE will enable “vulnerability and patching coordination at a speed and scale never seen before,” National Cyber Director Sean Cairncross told reporters during a briefing on Tuesday.
Gold Eagle will focus heavily on open-source software, whose code underpins a wide range of critical infrastructure but is often poorly scrutinized. Open-source developers, many of whom volunteer their time to maintain their projects, say they have been overwhelmed by a tidal wave of AI-generated bug reports, some of which are startlingly accurate.
Open-source developers “are important partners” in the Gold Eagle program, Cairncross said, describing their code as essential to American life.
Redundancy, liability concerns
The White House described Gold Eagle — the creation of which President Donald Trump mandated in his June executive order on AI security — as “a coordinated system to receive and patch cyber vulnerabilities at a speed and scale never seen before,” one that “represents a new operational model for cyber defense.”
Even so, Gold Eagle arrives at a time when the private sector has already created several similar programs. The Linux Foundation, with support from Anthropic, Microsoft and other leading tech companies, has created a program called Akrites to boost the open-source community’s identification and handling of vulnerabilities. And the open-source security vendor Chainguard has partnered with Cisco, Cloudflare, JPMorgan Chase and other major businesses to launch Athena, another vulnerability coordination system focused on open-source software.
Those two industry-led programs involve frontier AI firms and participants in Anthropic’s Project Glasswing and OpenAI’s Daybreak coalitions. The Trump administration has not identified the companies participating in the Gold Eagle program, including which AI firms are contributing their resources to the effort. (Anthropic has said that it would participate in the government-led clearinghouse.)
One potential obstacle already looms large over Gold Eagle: Its system of exchanging vulnerability information relies on the liability protections of the Cybersecurity Information Sharing Act, which Congress in February temporarily reauthorized through the end of September. The Trump administration has called on lawmakers to reauthorize the program for 10 years, saying its protections are essential to a robust cybersecurity collaboration ecosystem.