The Linux Foundation and 20 tech companies have launched Akrites, an initiative designed to address open-source security risks by patching vulnerabilities before AI-powered attacks can exploit them. The project aims to replace the current uncoordinated system for reporting security flaws with a centralized approach that ensures faster and more effective responses. According to the Linux Foundation, the initiative will work alongside open-source project maintainers to ensure vulnerabilities are addressed before attackers can take advantage. The effort is a response to the growing threat posed by AI models, which can scan code in minutes and expose flaws that were previously difficult to find. This shift in the balance of power has made it essential to create a more coordinated and efficient way of handling security issues in open-source software. The initiative includes a shared Security Incident Response Team (SIRT) that will act as a single point of contact for project maintainers, vet reports, and coordinate fixes. This centralized approach aims to eliminate the patchwork system currently in place, where multiple organizations independently flag the same flaws and deliver conflicting patches. By using a standardized process for confidential vulnerability disclosure, Akrites ensures that reports are handled securely and efficiently. The initiative also plans to step in as a 'maintainer of last resort' for abandoned projects, ensuring that critical patches are delivered to all users. Additionally, Akrites will coordinate with government agencies to align private and public security efforts. The initiative is backed by a seed fund from Alpha-Omega, a directed fund under the Linux Foundation, and invites other organizations to contribute resources or funding. The project's founding members include Amazon Web Services, Anthropic, Cisco, Citi, Google, IBM, JPMorganChase, Microsoft, NVIDIA, OpenAI, Red Hat, the Rust Foundation, Vodafone, and Zscaler.
The Linux Foundation described the current security response model as patchwork, with many organizations scanning the same packages independently and reporting the same findings multiple times. This leads to maintainers being overwhelmed with duplicate reports while real, exploitable bugs are lost in AI-generated noise. Endor Labs CEO Varun Badhwar highlighted the urgency by noting that fewer than five percent of validated open-source vulnerabilities have been patched in recent months. Akrites aims to change this by creating a more efficient and coordinated system for addressing security flaws in open-source software. The initiative uses a standardized process for confidential vulnerability disclosure, known as Coordinated Vulnerability Disclosure, which builds on established standards like the CVE identifier system, the CVSS severity scoring framework, and the TLP traffic-light protocol. Confidentiality is central to the process, with every report starting at TLP:RED, the highest classification level, and only the assigned case team can access it. This ensures that details about a flaw do not leak before a patch is ready. Maintainers retain control over how fixes are implemented, and when a critical package no longer has an active maintainer, Akrites plans to step in as a 'maintainer of last resort' and ship the fix itself. The initiative also plans to coordinate with government agencies so private and public defenders move in lockstep. Seed funding comes from Alpha-Omega, a directed fund under the Linux Foundation. Other organizations that want to contribute engineering resources or funding are invited to join. The Linux Foundation has announced Akrites, a coordinated industry initiative to patch security flaws in widely used open-source software alongside maintainers before attackers can take advantage.
Founding members include Amazon Web Services, Anthropic, Cisco, Citi, Google, IBM, JPMorganChase, Microsoft, NVIDIA, OpenAI, Red Hat, the Rust Foundation, Vodafone, and Zscaler. The reason is a shift in the balance of power: finding and fixing serious bugs in open-source code used to require comparable expertise on both sides. Modern AI models can now scan a large project in minutes instead of weeks, exposing flaws far faster. Once those abilities are widely available, even attackers without deep technical skills get the tools for sophisticated exploits. The Linux Foundation describes the current security response model as patchwork. Many organizations scan the same packages independently, report the same findings multiple times, and sometimes deliver conflicting patches. Maintainers get buried under duplicates while real, exploitable bugs get lost in AI-generated noise. Endor Labs CEO Varun Badhwar put the urgency in sharp terms: of thousands of validated open-source vulnerabilities from recent months, fewer than five percent have been patched. AdDEC_D_Incontent-1 One shared response team instead of a hundred separate reports At the core of Akrites is a shared Security Incident Response Team (SIRT). It acts as a single, reliable point of contact for open-source project maintainers instead of dozens of organizations independently flagging the same flaws. The team vets incoming reports, filters out duplicates, and then coordinates fixes. Akrites uses a standardized process for confidential vulnerability disclosure, known in the industry as Coordinated Vulnerability Disclosure.
It builds on established standards like the CVE identifier system, the CVSS severity scoring framework, and the TLP traffic-light protocol that governs who gets to see what. Confidentiality is central: every report starts at TLP:RED, the highest classification level, and only the assigned case team can access it. That way, details about a flaw don't leak before a patch is ready. Maintainers keep control even when there are none left Finished fixes flow back into the original project on the maintainer's terms keeping developers in control. When a critical package no longer has an active maintainer - a common problem with volunteer-run projects - Akrites plans to step in as a 'maintainer of last resort' and ship the fix itself, so the patch reaches all users in time. The initiative also plans to coordinate with government agencies so private and public defenders move in lockstep. Seed funding comes from Alpha-Omega, a directed fund under the Linux Foundation. Other organizations that want to contribute engineering resources or funding are invited to join. AdDEC_D_Incontent-2 Ad AI News Without the Hype – Curated by Humans to THE DECODER for ad-free reading, a weekly AI newsletter, our exclusive "AI Radar" frontier report six times a year, full archive access, and access to our comment section. now
