A coordinated response to a changing security landscape

The Linux Foundation has launched Akrites, a new industry initiative designed to tighten the way security flaws are found, verified, and fixed in widely used open-source software. The effort brings together roughly 20 technology companies, AI labs, and financial institutions around a simple premise: the economics of software vulnerability discovery have changed, and defenders need a more organized response before attackers gain a larger advantage.

According to the announcement, Akrites was created because modern AI systems can now inspect large codebases in minutes rather than weeks. That speed matters. Vulnerability discovery once demanded substantial expertise and time on both sides of the equation, which created a rough balance between attackers and defenders. Akrites starts from the view that this balance is shifting. If advanced code analysis becomes broadly available, less-skilled attackers could gain access to tools that help them locate and exploit serious weaknesses far faster than the open-source ecosystem can patch them.

The new initiative is intended to address that gap by replacing what the Linux Foundation describes as a fragmented, duplicative security response model. Instead of many companies independently scanning the same packages, filing overlapping reports, and sending maintainers conflicting patches, Akrites proposes a shared process with a single coordination layer.

Who is involved

Founding members named in the announcement include Amazon Web Services, Anthropic, Cisco, Citi, Google, IBM, JPMorganChase, Microsoft, NVIDIA, OpenAI, Red Hat, the Rust Foundation, Vodafone, and Zscaler. That roster matters because it spans some of the largest users of open-source software, several of the companies building frontier AI systems, and major institutions with direct exposure to software supply-chain risk.

The composition of the group also signals how broadly the issue is now understood. Open-source security is no longer treated as a narrow maintainer problem or a back-office compliance issue. It has become a strategic concern for cloud providers, banks, enterprise software vendors, AI developers, and infrastructure companies that all depend on shared software components.

Akrites is positioned as a practical mechanism for that shared dependency. The idea is not simply to find more flaws. It is to create a system that helps real maintainers act on credible reports without being buried in low-quality or duplicative findings.

Insurers turn to generative AI for catastrophe modeling, but hallucinations and sales logic could get in the way
More in AI & Robotics

Insurers Test Generative AI for Catastrophe Risk

Insurers are using generative AI to simulate rare weather disasters and sharpen catastrophe models, but researchers warn that plausible-looking outputs can still break basic physical rules.

Read article

A shared incident response team

At the center of Akrites is a shared Security Incident Response Team, or SIRT. Its role is to serve as a single point of contact for maintainers of open-source projects rather than forcing them to manage a flood of parallel outreach from multiple organizations. The team is expected to review incoming vulnerability reports, remove duplicates, and coordinate fixes.

That structure addresses a growing operational problem in software security: more scanning does not automatically produce better outcomes. If many organizations independently discover the same issue, maintainers can end up spending time triaging repeated submissions instead of fixing the most important problems. Akrites is designed to reduce that noise and concentrate attention on validated, actionable vulnerabilities.

The initiative will also use a standardized confidential disclosure process, commonly known as Coordinated Vulnerability Disclosure. In practice, that means flaws can be reported and worked on privately before technical details are exposed publicly, lowering the risk that known weaknesses are exploited in the window between discovery and patching.

What happens when maintainers are absent

One of the more notable elements in the announcement is Akrites’ plan for abandoned or undermaintained projects. Open-source ecosystems contain many packages that remain widely used even when their original maintainers have limited time, funding, or organizational support. In those cases, even confirmed vulnerabilities can linger because nobody is clearly positioned to produce and release a fix.

Akrites says it will ship the needed patches itself for abandoned projects. That is a consequential promise because it moves the initiative beyond coordination and into direct remediation when necessary. It also reflects a harder truth about the software supply chain: critical infrastructure often rests on components that do not have the staffing or institutional backing their importance would suggest.

If Akrites can meaningfully reduce the delay between vulnerability discovery and patch availability in those neglected parts of the ecosystem, it could help close one of the most persistent weak points in open-source security.

Meta employees warn AI moderation rollout is too fast
More in AI & Robotics

Meta pushes AI moderation despite internal warnings

Meta is rapidly replacing human content review with large language models, even as employees warn the systems still mishandle harmless posts and lack oversight.

Read article

Why the timing matters

The urgency described in the announcement is not abstract. Endor Labs chief executive Varun Badhwar, quoted in the source material, said that of thousands of validated open-source vulnerabilities from recent months, fewer than five percent have been patched. Even without additional context, that figure captures the scale of the remediation backlog Akrites is trying to address.

The AI angle sharpens the issue. If model-assisted analysis dramatically increases the rate at which flaws can be found, the backlog could worsen unless triage and patching become more efficient too. Akrites is effectively an attempt to industrialize the response side of open-source security before discovery tooling accelerates further.

That does not mean AI is framed only as a threat. Implicitly, the initiative also recognizes that the same technological shift pressuring defenders can be met with shared processes, pooled expertise, and better coordination. Akrites is less a rejection of AI-era security tooling than an effort to make sure the human and organizational side of remediation can keep up with it.

A test of whether collective defense can scale

The significance of Akrites will ultimately depend on execution. Centralizing reports, filtering duplicates, coordinating confidential disclosure, and patching abandoned projects are all sensible responses to a noisier and faster-moving vulnerability environment. The difficult part will be sustaining trust with maintainers, prioritizing the right issues, and proving that a cross-industry body can move quickly enough to matter.

Still, the initiative stands out because it treats open-source security as a collective defense problem rather than a series of isolated incidents. That is a meaningful shift. The companies most dependent on shared software are acknowledging that fragmented reporting and duplicated effort are no longer enough, especially when AI may lower the barrier to high-impact attacks.

If Akrites succeeds, its legacy may not be in the number of vulnerabilities it discovers, but in whether it helps the open-source world respond to serious flaws with less noise, less delay, and fewer gaps for attackers to exploit.

This article is based on reporting by The Decoder. Read the original article.

Image description
More in AI & Robotics

OpenAI Pushes Into Custom AI Hardware With Jalapeño

OpenAI and Broadcom say they have built a custom inference chip called Jalapeño, marking OpenAI’s first move into purpose-built hardware for running large language models.

Read article

Originally published on the-decoder.com