Gold Eagle: All that Glitters is Not Patched
- Katie Moussouris
- 16 minutes ago
- 4 min read

The White House just launched Gold Eagle, a federal vulnerability clearinghouse established under Sec. 2(d) of the June 2 Executive Order. It promises to deconflict vulnerability scanning, validate findings, and prioritize remediation across open source and critical infrastructure.
Recent incidents show the US government and most private organizations still lack critical process basics.
A coordinated vulnerability disclosure program without internal process capability, whether at a single organization or a clearinghouse like Gold Eagle, is an organism without a digestive system. Things are going to get messy.
All Dressed Up and Nowhere to Go
The cross-industry prioritization gap Gold Eagle targets is real. But the devil is in the process details. I warned about this when CISA issued BOD 22-01: vulnerabilities don't resolve just because someone has identified them.
The new joint guidance from CISA, NSA, JPCERT/CC, NCSC-NL, and NCSC-UK on Establishing a Coordinated Vulnerability Disclosure Program to Work With Security Researchers omits an essential reference to ISO/IEC 30111 Vulnerability handling processes, which governs internal vulnerability investigation and remediation. I coauthored that standard along with ISO/IEC 29147 Vulnerability disclosure and vulnerability disclosure cannot function without vulnerability handling processes.
The postmortem on CISA's AWS keys sitting in a public GitHub repo for six months shows what happens when routing and escalation procedures are missing. The recent Cursor disclosure by respected cybersecurity firm Mindgard also shows that even well-funded organizations with “managed programs” on major bug bounty platforms still struggle to address process issues to protect customers.
AI Broke the Balance Between Finding and Fixing
AI now generates vulnerability reports far faster than humans can validate and remediate, and open-source maintainers are drowning in the output. A clearinghouse that validates and deduplicates findings before they hit maintainers, then routes fixes to everyone affected, could convert AI noise into defensive signal.
But validation and fixing are still largely human work. Even Anthropic's own disclosure dashboard relies on humans to validate bugs, and only 97 of nearly 1,600 valid reported bugs have been patched. The dashboard has been frozen at 27 bugs fixed since May 22. If a leading frontier AI lab cannot keep its own disclosure dashboard current, that tells you how much human process still gates the path from finding to fixing.
Deconfliction Only Works Inside the Tent
Gold Eagle can only deconflict bug discovery among its participants. It cannot deconflict the world. Researchers will keep scanning whatever they want and reporting directly to maintainers. The realistic win is narrower: participants may waste fewer AI compute cycles on the same targets.
Prioritization is Subjective and Context Dependent
Two and possibly three of the four criteria in CISA's own BOD 26-04: Prioritizing Security Updates Based on Risk are subjective and specific to each organization. A central clearinghouse cannot tell a hospital, a bank, and a federal agency the same patch order and always be right for all three. Prioritization stays local, where the business context lives.
Hot Clearinghouse Summer
In the past month alone, the private sector stood up three efforts: the Linux Foundation's Akrites coordinates disclosure, Chainguard's Athena orchestrates findings, and IBM and Red Hat's Lightwell sells the fix. Gold Eagle overlaps all three somewhere. If deconfliction was the goal, this new player entering the chat isn’t necessarily helping.

Four Things the Government and Private Organizations Should Do
Executed and funded well, Gold Eagle could become the connective tissue this moment needs.
Similar advice applies to any organization standing up vulnerability coordination.
1. Don't boil the ocean. Consider your maturity and build deliberately on vulnerability management processes for known bugs to find the process gaps that will sink a program handling new bug discoveries.
2. Establish a baseline now. Measure remediation rates, time to patch, and bug recurrence before and after standing up a new program, or nobody will know if it helped.
3. Recognize new risk. Centralizing unpatched vulnerabilities builds a convenient target. Particular risk to Gold Eagle: Why hack a thousand organizations when you can hit one bug jackpot? For everyone: As always, architect for zero trust, enforce access management rigorously, and plan for breach.
4. Change the incentives. Governments should consider software liability laws for commercial vendors, fund the open-source maintainers who actually fix things, and require a percentage of closed source profit to divert to maintain the open-source libraries it uses. Other organizations should enforce contractual liability in procurement. Voluntary investment is clearly not sufficient.
Bug identification was never the bottleneck. Process is. Even if this new clearinghouse works well, applying the fixes in prioritized order is a whole other dimension of achieving measurable security at AI scale. We are in the churning river rapids of AI vulnerability discovery before we reach the promised calm of bug rarity thanks to AI. Getting there is like panning for gold in a river full of fool’s gold and mud.
Katie Moussouris is the founder and CEO of Luta Security, co-author of the ISO standards for coordinated vulnerability disclosure and vulnerability handling, and creator of the Vulnerability Coordination Maturity Model. Whether you feed a federal clearinghouse or just your own backlog, your outcomes depend on your process. Get in touch to assess and mature your vulnerability management in the AI era.
