The clearinghouse boom is not new, and neither is the fatigue
Chainguard announced Athena. Red Hat and the White House announced Lightwell. Vulnerability clearinghouses have been getting reannounced since the 1980s.
Chainguard’s CEO Dan Lorenc published an op-ed on The Hacker News yesterday with the plainly-stated title Summer of Clearinghouses. The piece announces the company’s own vulnerability clearinghouse, Athena, and simultaneously registers a complaint about the fact that everyone else has been announcing one too — including, in Lorenc’s phrase, “a five-billion-dollar press release” that most readers will recognize as Red Hat and IBM’s Project Lightwell, launched with White House involvement earlier in the summer.
The op-ed is worth reading on its own terms. Lorenc’s central line — “the clearinghouse is the least important thing to build” — is correct, and unusually candid for a piece whose commercial purpose is to build one. His argument that findings sitting in a database have never patched anything is also correct. What is more interesting than the argument, though, is the fact that the industry is having it again.
Analysis, not incident reporting. Nothing about Athena or Lightwell is a breach or an exploit; both are announcements of coordination infrastructure. This piece is commentary on the pattern the announcements fit into, not a review of either operation’s technical claims.
The list is longer than the summer
Vulnerability clearinghouses — pools of vulnerability data with a front door, in Lorenc’s definition — are among the oldest structures in the field. CERT/CC was stood up at Carnegie Mellon in 1988, in the direct aftermath of the Morris worm, on the theory that the internet needed a phone number someone could call. FIRST, the Forum of Incident Response and Security Teams, followed in 1990 as the coordinating body for those phone numbers across borders. MITRE’s CVE program dates to 1999. NVD, the National Vulnerability Database that most people still treat as canonical, went live in 2005. Information Sharing and Analysis Centers (ISACs) proliferated across sectors through the 1990s and 2000s; ISAOs were formalized by executive order in 2015 to catch the organizations that did not fit an ISAC. OSV, the Open Source Vulnerabilities database Google shipped in 2021, exists specifically to be the clearinghouse the older ones were not built to be. GitHub’s Advisory Database has been steadily absorbing that same role for the ecosystems it hosts. Sonatype has run OSS Index for years. Snyk maintains its own database. So does GitLab.
That is not a complete list, and the missing entries are the point. The specific new thing about Athena and Lightwell — pre-disclosure pooling of open-source findings, coordinated remediation before public release — is a real and defensible technical distinction. But the shape of the announcement, the reasoning offered for why one more coordinating body is now needed, and the confidence that this time it will stick, are all recognizable. The industry has been solving this problem for as long as it has had the problem.
Why the pattern repeats
The uncharitable read is that each new wave is downstream of a fundraise, a policy initiative, or a vendor’s need to demonstrate that its customer data can be repackaged as a public good. Some of that is real; the “five-billion-dollar press release” barb in the op-ed is not a cheap shot, and Chainguard’s own announcement is timed against exactly the pressure it complains about.
The charitable read is that the problem genuinely does keep shifting under the coordinators. CERT/CC was designed for a world with a few thousand internet-connected hosts and a small pool of maintainers to call. CVE and NVD were designed for a proprietary-software industry with vendor security response teams as the primary submitters. OSV and GitHub Advisory Database were designed because that model did not extend to the long tail of open source, where the “vendor” is often one person with a day job and no PSIRT. Athena and Lightwell are being pitched as the answer to a further shift — findings generated by automated tools, especially AI-assisted vulnerability discovery, at a rate the older intake queues cannot absorb.
Both reads are compatible with the historical pattern. Every generation of infrastructure gets built to fit the problem the previous generation could not, discovers that the actual work is remediation rather than intake, and quietly stabilizes into being one entrant among many. The announcement is the loud part. The throughput is the part that decides whether the thing lasts.
What actually separates them, if anything does
Lorenc’s op-ed gives one useful metric for evaluating clearinghouses that does not depend on how the announcement reads. He states Athena has processed more than twenty thousand findings and shipped more than two thousand patches upstream. Those are numbers with a shape — an intake volume, an outbound throughput, a ratio between them. Whether Chainguard’s numbers hold up to scrutiny is a separate question, and one worth asking. But the framing is right. A clearinghouse that has published its intake and its patch throughput is offering something specific to compare against. A clearinghouse that has published only its charter, its board of advisors, and a rendered logo is offering something else.
Applied to Lightwell, the same metric is not yet available. Red Hat and the White House have described what Lightwell is meant to do; they have not yet, as far as public reporting shows, put an intake or a patched-count against it. That is not evidence of failure. It is a reason to wait before deciding what the announcement was actually about.
The audience that has heard this before
Sysadmins, package maintainers, and SOC analysts have watched a coordinating body arrive with an announcement every few years for a career now, and the ones who are still doing the work tend to have the same reaction: it is easier to trust an outfit that produces patches than one that produces framing. The current wave will sort itself out on those terms, the way the previous waves did. NVD is still here. CERT/CC is still here. Most of the ISACs are still here. Whichever of the current entrants is still filing patches upstream in three years will be the one people remember.
Until then, the useful thing readers can do with a clearinghouse announcement is to ask what number the announcement is willing to publish, and how often it plans to publish it. The rest is press.
Found this useful? Share it.