- Key insight: Treasury, the government's lead cyber partner to banks, is one of four agencies running Gold Eagle, a new AI clearinghouse for collecting and patching software vulnerabilities.
- What's at stake: Gold Eagle's mandate to coordinate and share vulnerability findings across government sits awkwardly against Treasury's existing promise that banks' scan results stay private and away from regulators.
- Expert quote: Avi Gesser, a Debevoise & Plimpton partner who advises financial firms, said the biggest risk is sharing highly sensitive vulnerabilities "without knowing exactly who is going to get access to that data, and what it can be used for."
Overview bullets generated by AI with editorial review.
The federal government has built a new clearinghouse to collect software vulnerabilities, rank them and coordinate their patching across critical industries. Treasury will help run it.
The White House announced the program, called Gold Eagle (stylized by the government in all caps), in a
The announcement describes an operation powered by artificial intelligence that accepts reports of cyber vulnerabilities from across industries, confirms them and pushes prioritized fixes back to defenders in government and business.
The White House, the Treasury Department, the Department of Homeland Security (through the Cybersecurity and Infrastructure Security Agency, or CISA) and the Defense Department (which the Trump administration calls the Department of War) will lead the project.
Treasury is the sector risk management agency for financial services, which means it is the government's designated lead cyber partner to banks. Pairing AI with cybersecurity for the sector predates Gold Eagle; the department
Gold Eagle gives the government a new way to collect and route information about the software flaws in banks' own systems — the kind of data institutions typically guard closely.
Joining could also create regulatory compliance or legal risk for banks that choose to do so. Handing a bank's most sensitive security data to a government system built to share it could expose the bank to heightened regulatory scrutiny or lawsuits, according to a cybersecurity lawyer who advises financial firms.
The order behind it
Gold Eagle carries out part of
Per the order, that clearinghouse "coordinates and deconflicts scanning for software vulnerabilities, discovers and validates such vulnerabilities, and coordinates and prioritizes remediation and distribution of vulnerability patches."
The order also tells CISA to open access to government cybersecurity tools, "including, where appropriate, covered frontier models," to critical-infrastructure operators "such as rural hospitals, community banks, and local utilities."
The government has not named which frontier models (the current most advanced AI models from major vendors) are covered.
Built on plumbing Treasury already runs
Under
Treasury's own
But the Tuesday order says the Gold Eagle program will distribute vulnerability findings throughout the federal government.
None of the public materials about the new program say whether the scan data banks already share through Project Fortress will feed Gold Eagle. There is also no word on, if the scan data is shared, how the confidentiality promise of Project Fortress survives.
Treasury did not immediately respond to a request for comment.
That gap should give banks pause, according to Avi Gesser, a partner at Debevoise & Plimpton who co-chairs the firm's data strategy and security group and advises financial-services companies on cybersecurity.
When considering participation in Gold Eagle, the biggest risk banks face is sharing highly sensitive vulnerabilities "without knowing exactly who is going to get access to that data, and what it can be used for," he said.
He noted that the information a bank might turn over could include how long it has known about a given flaw, and he invoked the possibility that the government might use such information in a regulatory action or lawsuit against the bank.
Gesser sees a potential tension with the confidentiality promise, too. Project Fortress assures firms that their specific vulnerabilities stay confidential and are not shared with regulators, "but I haven't seen that kind of assurance about Gold Eagle," he said.
Operational and short on specifics
The White House says Gold Eagle has already started the process that will "intake and prioritize" vulnerabilities. It has not said who is taking part, how a bank would join or how the clearinghouse relates to the Project Fortress services banks already use.
The announcement names no company partners and describes no way to enroll. It is also silent on how Gold Eagle relates to the vulnerability-tracking infrastructure the government already backs.
Through CISA (one of Gold Eagle's four leads), the government already sponsors the
That backbone
CISA renewed it for 11 months only hours before the deadline. Board members, rattled by the near-miss,
Gold Eagle appears positioned to fast-track private dissemination of vulnerabilities that would eventually land in the public CVE database.
The frontier AI behind it
Gold Eagle depends on frontier AI for identifying vulnerabilities, and the June order (the one that presaged Tuesday's order) tells the government to build a framework for identifying those "covered frontier" models and getting early access to them.
The government has not named the developers Gold Eagle will draw on, but the usual suspects would be Anthropic and OpenAI, which are the current U.S. leaders in large language models.
In mid-June, the Commerce Department
Anthropic
The government restored access for Mythos and Fable later in June after Commerce Secretary Howard Lutnick said his team had "worked closely" with Anthropic to review and approve the models. White House Chief of Staff Susie Wiles tied the resolution to that June executive order.
Also in June, the White House
What a bank should ask first
For a bank weighing whether to take part in Gold Eagle, Gesser said its general counsel or chief information security officer should get written answers first to questions such as: Who can see findings that identify the bank? Can that data be used in regulatory investigations?
He would also want to know whether the sharing qualifies for the liability protections of the Cybersecurity Information Sharing Act of 2015, and what becomes of them after
The effect on banks' disclosure duties is murkier. Gesser pointed out their existing obligations under the banking agencies'
The open question, he said, is whether learning of a serious flaw through the clearinghouse (say, confirmation that attackers are already exploiting it in a bank's systems) starts the clock on those obligations sooner than the bank might expect.












