# Linux Foundation announces Akrites: coord/remediate/disclose OSS vulnerabilities > Source: > Published: 2026-06-25 20:04:28+00:00 **An open letter** from the technology industry, and the launch of Akrites – a coordinated effort to remediate vulnerabilities in the open source software the world runs on. [Read Open Letter](/letter) #### Origin ## The name comes from the Akritai — the Byzantine Empire’s frontier guardians, who stood watch where threats arrived first and defenses were thinnest. In modern software, that frontier is upstream: the open source projects everything depends on. Akrites is the industry standing that watch together, alongside the maintainers who have held it alone for too long. Fittingly, the root of the name is the same word that gives us critical — which is exactly the software this effort exists to defend. #### The Problem ## Discovery has outrun defence. AI security tools have moved the cost of finding serious software vulnerabilities from weeks of expert effort to minutes of automated scanning. The defenders of open source software have to adapt. ### Reports outpace triage The availability of models means a popular library can receive the same vulnerability described five different ways from five reporters in one week. ### Signal collapses Maintainers often waste time trying to sift through volumes of reports to identify which is a real, exploitable finding from confident AI noise. Some ignore AI-generated reports entirely, so real ones may be missed too. ### Everyone races to disclosure Every organization scanning the same software independently risks racing to disclosure, overwhelming maintainers and exposing pre-patch findings to attackers. #### Stronger Together ## Why working separately makes it worse. No single organization can solve this alone. Acting independently makes the problem worse. [Duplicate Discovery at Scale](#) Many end users, cloud providers, security researchers, and security vendors scan the same packages and file the same findings independently. [Maintainer Overload](#) A flood of duplicate and low-quality reports buries the real, exploitable ones and burns out the people we depend on. [Pre-patch Exposure](#) Every additional party who knows about an unpatched vulnerability raises the odds of a leak. AI tooling enables anyone to find the same vulnerabilities and most vulnerabilities should be treated as immediately public knowledge. [Sector and Technology Blindness](#) Banks know what banks depend on; hospitals know what hospitals depend on. Neither learns they share a critical dependency until it is on fire. #### The Akrites Solution ## A shared Security Incident Response Team (SIRT). Akrites gives critical infrastructure stakeholders a confidential, structured place to coordinate vulnerability discovery, remediation, and disclosure across the open source projects they depend on, at the pace AI-assisted attackers now operate. [One Front Door](#) Upstream maintainers face a coordinated, predictable partner running one standardized CVD process, not a hundred independent reports. [A Shared Dedicated SIRT](#) A centralized Security Incident Response Team validates and deduplicates findings, coordinates resolution and upstream patching. Leverages industry standards and tools: CVE, TLP, CWE, CVSS, EPSS, SSVC, VEX, VINCE. #### Question ### How does Akrites relate to or integrate with other similar industry efforts? Akrites provides a consistent, centralized coordination facility that can easily integrate with external Finders such as Glasswing, MITRE/CVE, Lightwell, FIRST, and the like. These efforts have been focused on the *finding* of security vulnerabilities. Akrites focuses on *coordinating the disclosure* of those findings and can assist by accepting and coordinating reports from any of these programs. #### Upstream ## How a vulnerability flows through the program. Every finding follows the same path so upstream maintainers face one predictable partner and members get consistent embargo handling. A member or its vendor surfaces a finding to the SIRT. It is TLP:RED from the start, visible only to the case team. The SIRT merges duplicates into one case, validates severity, and assigns ownership. Maintainers and/or industry engineers prepare and test the fix, held as TLP:RED case material. Upstream enter one CVD window; the fix publishes to the original namespace at disclosure. #### Confidentiality Framework ## Critical vulnerability information is protected by use of the TLP 2.0 protocol. ### Hardened Infrastructure - Isolated secure enclaves to perform vulnerability analysis, POC/POV verification, and patch creation - Analyst workbench provided via secure virtual machines - Protected by strong access controls, MFA, and monitoring - Access to Vulnerability Reports limited to Finders during triage/verification - Access to patch bundles limited ot Finders and SIRT during Coordination & Disclosure - TLP gatekeeps access along all phases of engagement ### A Shared Dedicated SIRT A centralized Security Incident Response Team validates and deduplicates findings, coordinates resolution and upstream patching. Leverages industry standards and tools: CVE, TLP, CWE, CVSS, EPSS, SSVC, VEX, VINCE. ### Confidential Coordination - CVD Tools like VINCE used to assist in coordination/case management - TLP covers all parties and artifacts until PD - Confidential reporting tools used to report issues upstream (e.g. GitHub Private Reporting) #### Membership ## Coordinated response, collective resilience. ### Premier Critical infrastructure operators and the vendors and platforms they depend on. - Priority SIRT coordination; eligible for Governing Board nomination ### General Organizations that want to help but cannot commit large engineering resources. - Participation in future forums and working groups - Priority access to member briefings - Named participation in transparency reports ### Associate Recognized open source foundations and projects, at no cost. - Participate subject to charter and confidentiality terms - Invited by Governing Board at their discretion to coordinate with working groups Foundation-level dues fund coordination, not any single group’s engineering: - The Neutrally-operated SIRT that runs the CVD process end-to-end - Secure workspace, identity, and tamper-evident audit infrastructure - Governing Board, coordination and program management *Members may offer in-kind compute, AI resources, or licenses in lieu of dues, subject to annual Governing Board approval. All members must be current Linux Foundation members and sign the participation agreement and NDA.* #### JOIN US ### Patch the commons, together. Join critical infrastructure operators and their vendors in building a confidential, coordinated defense for the open source software we all rely on. [Inquire About Membership](/contact)