{"slug": "akrites-linux-foundation-launches-open-source-security-coalition", "title": "Akrites: Linux Foundation Launches Open Source Security Coalition", "summary": "The Linux Foundation and 19 industry partners launched Akrites, an open source security coalition, on June 25, 2026, to address the surge in AI-discovered vulnerabilities that overwhelm maintainers. The initiative provides a shared incident response team, standardized disclosure processes, and acts as maintainer of last resort for abandoned packages, aiming to close the gap between vulnerability discovery and patching.", "body_md": "The open source ecosystem has a math problem. Frontier AI models now surface vulnerabilities in major projects in minutes — a task that used to take expert humans weeks. Of the thousands of validated vulnerabilities found in recent months, fewer than 5% have been patched. On June 25, 2026, the Linux Foundation and 19 industry heavyweights launched [Akrites](https://akrites.org/), a coordinated open source security initiative to close that gap before AI-enabled exploits turn a slow crisis into a fast disaster.\n\n## The AI Vulnerability Arms Race Has Broken the Old Model\n\nFor most of open source’s history, attackers and defenders operated on roughly the same timeline. Finding a serious vulnerability in a widely-used project required expertise that took years to develop — the same expertise defenders had. That balance is gone. Frontier AI models can now scan a major codebase and return multiple vulnerabilities in a single pass, in minutes. Endor Labs found over 23,000 vulnerabilities across 1,000+ open source projects in a single month of scanning. Fewer than 5% were fixed.\n\nThe curl project illustrates what this looks like at ground level. Before AI tools proliferated, Daniel Stenberg’s team received roughly one vulnerability report per week. Today, they receive one every 18 hours — a 28x increase. In January 2026, curl [ended its bug bounty program](https://www.bleepingcomputer.com/news/security/curl-ending-bug-bounty-program-after-flood-of-ai-slop-reports/) after a flood of AI-generated reports overwhelmed the volunteer team. By July, they declared a month-long pause from all vulnerability intake — the “curl summer of bliss.” If this can happen to one of the most critical pieces of networking software on Earth, it can happen to anything.\n\nAnthropic expects Mythos-class capabilities — autonomous vulnerability discovery at scale — from multiple AI companies within six to twelve months. Moreover, OpenInfra Foundation reported 20 security advisories in Q2 2026 alone, versus just two for all of 2025. The problem is accelerating, not slowing.\n\nRelated:[curl Takes July Off After AI Slop Killed Its Bug Bounty]\n\n## How Akrites Open Source Security Works\n\nAkrites operates through three mechanisms. First, a shared Security Incident Response Team (SIRT) serves as a single intake point for vulnerability reports. Instead of AWS, Google, Cisco, and a dozen other organizations independently filing duplicate reports that bury maintainers under conflicting patches, they all route findings through the SIRT. The team deduplicates, validates severity, and assigns ownership — so maintainers get one coordinated case instead of forty variations of the same problem.\n\nSecond, a standardized [Coordinated Vulnerability Disclosure (CVD) process](https://akrites.org/) keeps everything confidential until the fix ships. Reports are TLP:RED from intake, visible only to the case team. Maintainers work under a synchronized disclosure window, and the fix publishes to the original upstream namespace at disclosure time. This closes the dangerous gap between “vulnerability known” and “patch available.”\n\nThird — and most novel — Akrites acts as *maintainer of last resort*. For abandoned packages that remain deeply embedded in production systems, Akrites steps in, patches the current version, and ships it upstream. This directly addresses the abandoned package problem: the npm module with 10 million weekly downloads and no active maintainer. No previous open source security initiative has offered this.\n\n## Who Signed On (and Why It Matters)\n\nThe [founding coalition](https://akrites.org/letter/) includes 19 organizations: AWS, Anthropic, Chainguard, Cisco, Citi, Endor Labs, Ericsson, Google, IBM, JPMorganChase, Microsoft and GitHub, NVIDIA, OpenAI, Red Hat, Rust Foundation, Sonatype, Vodafone, and Zscaler. Supporting foundations include CNCF, OpenJS, OpenSSF, and PyTorch Foundation. The fact that AWS, Google, Microsoft, Anthropic, and OpenAI are all at the table — fierce competitors on nearly everything else — signals genuine urgency, not marketing. Ericsson’s Chief Product Security Officer Mikko Karikytö stated it plainly: “Vulnerability discovery is now moving at a speed that overwhelms maintainers and users.”\n\nSeed funding comes from Alpha-Omega, a Linux Foundation directed fund. Organizations that want to contribute engineering resources or funding can find details at the [Linux Foundation announcement page](https://www.linuxfoundation.org/press/linux-foundation-and-industry-leaders-launch-akrites-to-defend-critical-open-source-software-against-ai-enabled-cyber-threats).\n\n## What Developers Need to Know\n\nIf you use open source — and you do — Akrites changes two things. Vulnerabilities in actively maintained packages will get found, coordinated, and disclosed faster, with less chaos reaching maintainers. Vulnerabilities in abandoned packages that currently just sit there might actually get patched. The maintainer-of-last-resort function is the most important capability here: it’s not glamorous, but it fills the gap that every previous open source security initiative has ignored.\n\nHowever, if you maintain open source, Akrites offers to absorb some of the AI-generated reporting volume that is currently threatening maintainer sanity at projects like curl. Whether the SIRT can actually scale to match AI discovery rates remains the open question — but the alternative is what curl is living through right now, at scale, across every project in the ecosystem.\n\n### Key Takeaways\n\n- AI models now find open source vulnerabilities in minutes — the old defender-attacker equilibrium is broken, and Akrites is the industry’s coordinated response\n- Fewer than 5% of thousands of recently validated vulnerabilities have been patched, according to Endor Labs data cited in the Akrites open letter\n- The three pillars: shared SIRT (single intake, no duplicate reports), standardized CVD process (confidential until patch ships), and maintainer of last resort (abandoned critical packages get fixed)\n- AWS, Google, Microsoft, Anthropic, OpenAI, NVIDIA, Red Hat, and 12 others signed on — breadth of competing organizations signals this is a real effort, not a press release\n- Watch akrites.org for operational updates; the initiative launched yesterday and scaling details are still being finalized", "url": "https://wpnews.pro/news/akrites-linux-foundation-launches-open-source-security-coalition", "canonical_source": "https://byteiota.com/akrites-linux-foundation-open-source-security/", "published_at": "2026-06-26 11:13:50+00:00", "updated_at": "2026-06-26 11:41:14.336580+00:00", "lang": "en", "topics": ["ai-safety", "ai-research"], "entities": ["Linux Foundation", "Akrites", "AWS", "Anthropic", "Google", "Microsoft", "OpenAI", "curl"], "alternates": {"html": "https://wpnews.pro/news/akrites-linux-foundation-launches-open-source-security-coalition", "markdown": "https://wpnews.pro/news/akrites-linux-foundation-launches-open-source-security-coalition.md", "text": "https://wpnews.pro/news/akrites-linux-foundation-launches-open-source-security-coalition.txt", "jsonld": "https://wpnews.pro/news/akrites-linux-foundation-launches-open-source-security-coalition.jsonld"}}