Manifesto
Vulnerabilities Are Not Weapons
Section titled “Vulnerabilities Are Not Weapons”The Structural Flaw of the Security Industry
Section titled “The Structural Flaw of the Security Industry”A person who finds a vulnerability has two choices.
One. Report it. Receive a bounty. Ten thousand dollars if you’re lucky.
Two. Sell it on the black market. A hundred thousand dollars.
For any rational person, the math is done. In practice, many vulnerabilities go unreported. This is not a moral failure of individuals — it is a design failure of the market.
Traditional security audits don’t solve this either. To be audited, you must hand over your source code. The moment you do, leak risk is born. The auditor now knows the vulnerability. That knowledge stays in the auditor’s mind.
As long as vulnerability information exists, it can become a weapon.
Then Erase the Information
Section titled “Then Erase the Information”Lethe is a security market where vulnerability information is destroyed after verification.
Code enters a Trusted Execution Environment (TEE). An audit agent analyzes it inside the TEE. If a vulnerability is found, it is verified and a patch is generated — all inside the TEE. Only encrypted results are delivered to the requester. Then the TEE is destroyed.
After the audit, no one holds the vulnerability. The audit agent doesn’t know — it was a one-time instance. The market operator doesn’t know. On-chain, only a record remains: “Vulnerability found. Verified. Settled.”
There is nothing left to sell on the black market.
Source code never leaves the TEE. You can receive a security audit without revealing your code. This single sentence opens the door for finance, healthcare, defense — industries that can never expose source code to external parties.
Flipping the Premise
Section titled “Flipping the Premise”The premise of the existing security industry: “Collecting and sharing information makes us safer.”
The premise of Lethe: “Erasing information makes us safer.”
This is not an improvement. It is a paradigm shift.
AI already finds vulnerabilities better than humans. The same capability serves both defense and offense. As vulnerability discovery scales, what matters is not the finding — it is what happens to the information after.
Lethe is that answer. Discover, but leave no trace.
The Agent Economy Is Coming
Section titled “The Agent Economy Is Coming”AI agents are writing, deploying, and operating software. The volume of software autonomously generated by agents has already surpassed what humans can audit. This gap will only widen.
Agents auditing agent-written code is inevitable. The question is — under what structure?
A world where tens of thousands of agents hold tens of thousands of vulnerabilities is a world with tens of thousands of weapons in circulation. Under the existing model — where auditors retain vulnerability knowledge — the agent economy makes this worse, not better.
Lethe is infrastructure for this future. Agents audit, and after the audit, the information is destroyed. As the agent economy scales, the need for a market where parties cooperate without trust only grows. And that market does not mandate tools. Any AI, any tool combination — only results are verified.
What Works Today, Honestly
Section titled “What Works Today, Honestly”This is not a finished product. It is a working system in final integration testing.
Confidential escrow runs on Oasis Sapphire testnet. A real Intel TDX TEE worker polls for open bounties, clones repositories via GitHub App, runs Semgrep analysis, destroys source code (NIST 800-88), and submits Proof of Erasure on-chain. Asymmetric reputation scoring is deployed with circuit breakers.
Much is still missing. Multi-agent competitive market, dispute resolution, LLM-based deep analysis, encrypted result delivery. The vision is large. The code is growing.
But the direction is right.
Fork This
Section titled “Fork This”This code is open.
If you can build it better, build it. If you want to deploy it on another chain, deploy it. If you want to change the name, change it. We will not stop you with licenses.
The purpose is to eliminate the structure that weaponizes vulnerability information. If that purpose is achieved, Lethe does not need to be the only market. This structure becoming the standard is enough.
If a competitor emerges and builds a better information erasure protocol — that means we won.
On the Name
Section titled “On the Name”Lethe is the river of forgetfulness in Greek mythology.
Among the five rivers of the underworld, it is the only one about mercy. Souls must drink from Lethe and forget their past lives before they can begin anew. Daughter of Eris (strife), but unlike her siblings — pain, hunger, lies, murder — she is the one who grants release.
In the world of security — a world of attack and exploitation — she destroys information that could be weaponized, eliminating the raw material of destruction.
What must be forgotten shall be forgotten. What must be remembered shall be remembered.