Anthropic, Google, and Microsoft just built a shared security team for open source. AI is why.

Anthropic, Google, Microsoft, OpenAI, AWS, and 15 other organizations launched Akrites under the Linux Foundation, a coordinated body for AI-era vulnerability discovery, remediation, and disclosure in critical open-source software. The initiative responds to AI's ability to surface thousands of validated open-source vulnerabilities, with fewer than 5% patched, and aims to accelerate upstream patching before disclosure.

AI can now scan major open-source projects and surface a batch of real, exploitable vulnerabilities in a single pass. That's a defensive win — until you remember attackers have the same tools. Anthropic, Google, Microsoft, OpenAI, AWS, and 15 other organizations aren't waiting for that race to get worse. On Thursday they launched Akrites https://akrites.org/ under the Linux Foundation — a coordinated body built specifically for AI-era vulnerability discovery, remediation, and disclosure in critical open-source software. The name comes from the Akritai — Byzantine soldiers who guarded the empire's outermost borders. The places most exposed, most frequently attacked, and most dependent on whoever showed up to defend them. The current coordinated disclosure model was designed around a world where finding vulnerabilities took weeks of expert work. AI has collapsed that timeline. Endor Labs CEO Varun Badhwar put a number on it: thousands of validated open-source vulns surfaced by AI in recent months, with fewer than 5% patched. And the old model makes it worse — every org independently sitting on knowledge of an unpatched flaw is another leak risk before a fix exists. "For years, we have believed finding vulnerabilities was never the hard part. Fixing them was. AI has made that gap impossible to ignore." — Varun Badhwar, Endor Labs Anthropic's deputy CISO Jason Clinton framed the structural problem: coordinated disclosure hasn't kept up with how fast AI finds problems. Getting patches upstream before disclosure — not after — is the whole bet. Anthropic's own cybersecurity models are part of the backstory. In early June, Anthropic released Fable 5 and Mythos 5 — the first generally available models built specifically for security defense. Three days later, the US government suspended them after researchers demonstrated they could assist with cyberattacks. That's the exact threat model Akrites is designed around. Defenders and attackers have identical AI access. The answer isn't better models in isolation — it's faster, coordinated patching. Sources: The New Stack https://thenewstack.io/after-fable-5-ban-anthropic-and-19-organizations-launch-open-source-security-body/ · Linux Foundation announcement https://www.linuxfoundation.org/press/linux-foundation-and-industry-leaders-launch-akrites-to-defend-critical-open-source-software-against-ai-enabled-cyber-threats · Akrites https://akrites.org/ ✏️ Drafted with KewBot AI , edited and approved by Drew.