![](\"https:\/\/mms.businesswire.com\/media\/20260512535791\/en\/2802517\/5\/depthfirst_logo_black.jpg\"){kind=logo}
<\/a><\/a>\nThe announcement comes as AI-powered vulnerability research approaches an inflection point. Recent disclosures from major AI labs have demonstrated that advanced models are capable of discovering vulnerabilities in widely deployed software projects with less human oversight, greater speed, and larger scale than was previously possible. Access to these capabilities remains limited today, but that window is rapidly closing.<\/p>
\nFor open source platforms, this shift is especially urgent. The projects that underpin critical infrastructure, from financial services to healthcare systems, are often maintained by small teams with limited security resources. As advanced vulnerability discovery becomes cheaper and more accessible, maintainers will need defensive access to comparable capabilities before attackers can use them at scale.<\/p>
\n\"AI is fundamentally changing who can find vulnerabilities and how fast,\" said Qasim Mithani, CEO and co-founder of depthfirst. \"The open source projects that act as the backbone of modern technology need to move faster than the threat, and we\u2019re launching the Open Defense Initiative to make that possible.\"<\/p>
\nIntroducing the depthfirst Open Defense Initiative<\/b><\/p>
\nThrough the Initiative, depthfirst is offering up to $5 Million in platform credits to select open source projects. Priority will be given to widely deployed infrastructure software where vulnerabilities would have significant downstream impact. Selected maintainers will receive access to depthfirst\u2019s platform, which analyzes codebases to find complex vulnerabilities, validate exploitability with evidence, and provide remediation guidance maintainers can act on directly.<\/p>
\n\u201cOpen source maintainers are often the last line of defense for infrastructure that millions of people depend on. Having a partner like depthfirst focused on this problem is exactly what the community needs right now,\u201d said Trustin Lee, founder of Netty, Armeria, LeapMux and Central Dogma.<\/p>
\nThe Initiative is currently partnering with the maintainers behind FFmpeg, Envoy, and Kata Containers, among others. In line with the company's mission to secure the world\u2019s software, depthfirst is also proactively analyzing a range of widely deployed open source projects, including Linux, Armeria, Netty, OpenSSH, curl, systemd, SQLite, PostgreSQL, zlib, libpng, libarchive, qs, minimist, and QuickJS.<\/p>
\nOpen source project maintainers can apply for credits at opendefense.dev<\/a>.<\/p> \nEnabling State of the Art Vulnerability Discovery at a Lower Compute Cost<\/b><\/p> \nAdditionally, depthfirst disclosed today that it identified 12 previously unknown memory corruption vulnerabilities in FFmpeg, one of the world\u2019s most widely deployed open source media frameworks. The vulnerabilities, some of which trace back to code introduced in 2009, were found and verified entirely by depthfirst\u2019s platform, which also generated the patches that the maintainers applied to fix them.<\/p> \nAnthropic recently disclosed that it scanned FFmpeg with Mythos, its most advanced general-purpose language model. After reportedly running several hundred scans across the repository, Mythos identified multiple vulnerabilities at a compute cost of approximately $10,000. depthfirst's platform subsequently scanned FFmpeg and autonomously found the additional 12 vulnerabilities disclosed today using previous-generation models and about $1,000 in compute, approximately one-tenth of Anthropic\u2019s reported spend. The results point to a core thesis behind depthfirst and the Open Defense Initiative: in security, the system around the model can matter as much as the model itself.<\/p> \n\u201cOur findings show that effective vulnerability discovery depends on more than model strength alone,\u201d continued Mithani. \u201cWe\u2019re grateful to frontier AI labs for developing stronger general-purpose models, because each advance gives defenders more capability to build on. At depthfirst, we can use that progress to train our own specialized security models, but the major advantage comes from the full system around them: the harnesses and context that make vulnerability discovery reliable, actionable, and cost-effective.\u201d<\/p> \nSince the start of the year, depthfirst\u2019s platform found vulnerabilities<\/a> in other popular open source projects like Linux Kernel, Chrome, OpenClaw, Apache HTTP, and NGINX. Some are currently under review by maintainers in accordance with responsible disclosure practices.<\/p> \nExpanding Open Source Supply Chain Defense<\/b><\/p> \ndepthfirst also shared today that it is expanding its work to address another growing risk in open source: malicious code hidden inside widely used packages. depthfirst will soon begin analyzing popular open source packages to identify malware and prevent unsafe code from executing for its customers. The company plans to share more details on this initiative in the coming months.<\/p> \nAbout depthfirst<\/b><\/p> \ndepthfirst is an applied AI lab on a mission to secure the world\u2019s software by automating security from design to production for businesses facing modern, AI-era threats. The company\u2019s AI-native security platform builds context on a company\u2019s code, infrastructure, and business logic to find complex vulnerabilities, focus on the important issues, and provide developers with ready-to-merge fixes. depthfirst has raised $120M from investors including Meritech Capital, Accel, Forerunner Ventures, BoxGroup, Mantis VC, Liquid 2 Ventures, Alt Capital, SV Angel, and The House Fund. To learn more, visit depthfirst.com<\/a>.<\/p>