Key Points #
- The Linux Foundation and about 20 tech companies have launched the Akrites initiative to protect open-source software vulnerabilities from AI-powered attacks.
- As AI models can scan code in minutes and give even non-experts the tools for complex attacks, Akrites replaces the current uncoordinated system for reporting security flaws.
- A central team will vet reports confidentially and coordinate fixes. For abandoned projects, the initiative will ship the needed patches itself.
About twenty tech companies, AI labs, and banks are joining forces through Akrites to fix vulnerabilities in critical open-source software before AI tools can exploit them.
The Linux Foundation has announced Akrites, a coordinated industry initiative to patch security flaws in widely used open-source software alongside maintainers before attackers can take advantage. Founding members include Amazon Web Services, Anthropic, Cisco, Citi, Google, IBM, JPMorganChase, Microsoft, NVIDIA, OpenAI, Red Hat, the Rust Foundation, Vodafone, and Zscaler.
The reason is a shift in the balance of power: finding and fixing serious bugs in open-source code used to require comparable expertise on both sides. Modern AI models can now scan a large project in minutes instead of weeks, exposing flaws far faster. Once those abilities are widely available, even attackers without deep technical skills get the tools for sophisticated exploits.
The Linux Foundation describes the current security response model as patchwork. Many organizations scan the same packages independently, report the same findings multiple times, and sometimes deliver conflicting patches. Maintainers get buried under duplicates while real, exploitable bugs get lost in AI-generated noise. Endor Labs CEO Varun Badhwar put the urgency in sharp terms: of thousands of validated open-source vulnerabilities from recent months, fewer than five percent have been patched.
One shared response team instead of a hundred separate reports #
At the core of Akrites is a shared Security Incident Response Team (SIRT). It acts as a single, reliable point of contact for open-source project maintainers instead of dozens of organizations independently flagging the same flaws. The team vets incoming reports, filters out duplicates, and then coordinates fixes.
Akrites uses a standardized process for confidential vulnerability disclosure, known in the industry as Coordinated Vulnerability Disclosure. It builds on established standards like the CVE identifier system, the CVSS severity scoring framework, and the TLP traffic-light protocol that governs who gets to see what. Confidentiality is central: every report starts at TLP:RED, the highest classification level, and only the assigned case team can access it. That way, details about a flaw don't leak before a patch is ready.
Maintainers keep control even when there are none left #
Finished fixes flow back into the original project on the maintainer's terms keeping developers in control. When a critical package no longer has an active maintainer - a common problem with volunteer-run projects - Akrites plans to step in as a "maintainer of last resort" and ship the fix itself, so the patch reaches all users in time. The initiative also plans to coordinate with government agencies so private and public defenders move in lockstep.
Seed funding comes from Alpha-Omega, a directed fund under the Linux Foundation. Other organizations that want to contribute engineering resources or funding are invited to join.
AI News Without the Hype – Curated by Humans
Subscribe to THE DECODER for ad-free reading, a weekly AI newsletter, our exclusive "AI Radar" frontier report six times a year, full archive access, and access to our comment section.
Subscribe now