depthfirst Commits up to $5M in Credits to Help Open Source Software Find and Fix Zero Day Vulnerabilities

SAN FRANCISCO--(BUSINESS WIRE)--depthfirst, an applied AI lab on a mission to secure the world’s software, today announced the launch of the depthfirst Open Defense Initiative (the “Initiative”). Through the Initiative, the company will commit up to $5 Million in depthfirst platform credits to help critical open source projects discover, validate, and remediate vulnerabilities before they can be exploited.

The announcement comes as AI-powered vulnerability research approaches an inflection point. Recent disclosures from major AI labs have demonstrated that advanced models are capable of discovering vulnerabilities in widely deployed software projects with less human oversight, greater speed, and larger scale than was previously possible. Access to these capabilities remains limited today, but that window is rapidly closing.

For open source platforms, this shift is especially urgent. The projects that underpin critical infrastructure, from financial services to healthcare systems, are often maintained by small teams with limited security resources. As advanced vulnerability discovery becomes cheaper and more accessible, maintainers will need defensive access to comparable capabilities before attackers can use them at scale.

"AI is fundamentally changing who can find vulnerabilities and how fast," said Qasim Mithani, CEO and co-founder of depthfirst. "The open source projects that act as the backbone of modern technology need to move faster than the threat, and we’re launching the Open Defense Initiative to make that possible."

Introducing the depthfirst Open Defense Initiative

Through the Initiative, depthfirst is offering up to $5 Million in platform credits to select open source projects. Priority will be given to widely deployed infrastructure software where vulnerabilities would have significant downstream impact. Selected maintainers will receive access to depthfirst’s platform, which analyzes codebases to find complex vulnerabilities, validate exploitability with evidence, and provide remediation guidance maintainers can act on directly.

“Open source maintainers are often the last line of defense for infrastructure that millions of people depend on. Having a partner like depthfirst focused on this problem is exactly what the community needs right now,” said Trustin Lee, founder of Netty, Armeria, LeapMux and Central Dogma.

The Initiative is currently partnering with the maintainers behind FFmpeg, Envoy, and Kata Containers, among others. In line with the company's mission to secure the world’s software, depthfirst is also proactively analyzing a range of widely deployed open source projects, including Linux, Armeria, Netty, OpenSSH, curl, systemd, SQLite, PostgreSQL, zlib, libpng, libarchive, qs, minimist, and QuickJS.

Open source project maintainers can apply for credits at opendefense.dev.

Enabling State of the Art Vulnerability Discovery at a Lower Compute Cost

Additionally, depthfirst disclosed today that it identified 12 previously unknown memory corruption vulnerabilities in FFmpeg, one of the world’s most widely deployed open source media frameworks. The vulnerabilities, some of which trace back to code introduced in 2009, were found and verified entirely by depthfirst’s platform, which also generated the patches that the maintainers applied to fix them.

Anthropic recently disclosed that it scanned FFmpeg with Mythos, its most advanced general-purpose language model. After reportedly running several hundred scans across the repository, Mythos identified multiple vulnerabilities at a compute cost of approximately $10,000. depthfirst's platform subsequently scanned FFmpeg and autonomously found the additional 12 vulnerabilities disclosed today using previous-generation models and about $1,000 in compute, approximately one-tenth of Anthropic’s reported spend. The results point to a core thesis behind depthfirst and the Open Defense Initiative: in security, the system around the model can matter as much as the model itself.

“Our findings show that effective vulnerability discovery depends on more than model strength alone,” continued Mithani. “We’re grateful to frontier AI labs for developing stronger general-purpose models, because each advance gives defenders more capability to build on. At depthfirst, we can use that progress to train our own specialized security models, but the major advantage comes from the full system around them: the harnesses and context that make vulnerability discovery reliable, actionable, and cost-effective.”

Since the start of the year, depthfirst’s platform found vulnerabilities in other popular open source projects like Linux Kernel, Chrome, OpenClaw, Apache HTTP, and NGINX. Some are currently under review by maintainers in accordance with responsible disclosure practices.

Expanding Open Source Supply Chain Defense

depthfirst also shared today that it is expanding its work to address another growing risk in open source: malicious code hidden inside widely used packages. depthfirst will soon begin analyzing popular open source packages to identify malware and prevent unsafe code from executing for its customers. The company plans to share more details on this initiative in the coming months.

About depthfirst

depthfirst is an applied AI lab on a mission to secure the world’s software by automating security from design to production for businesses facing modern, AI-era threats. The company’s AI-native security platform builds context on a company’s code, infrastructure, and business logic to find complex vulnerabilities, focus on the important issues, and provide developers with ready-to-merge fixes. depthfirst has raised $120M from investors including Meritech Capital, Accel, Forerunner Ventures, BoxGroup, Mantis VC, Liquid 2 Ventures, Alt Capital, SV Angel, and The House Fund. To learn more, visit depthfirst.com.