Linux Foundation launches Akrites to fix open source flaws

The Linux Foundation has launched Akrites to coordinate the remediation and disclosure of vulnerabilities in critical open source software, with initial backing from technology groups, financial institutions and security companies.

Founding participants include Amazon Web Services, Anthropic, Chainguard, Cisco, Citi, Endor Labs, Ericsson, Google, IBM, JPMorganChase, Microsoft and GitHub, NVIDIA, OpenAI, RapidFort, Red Hat, Rust Foundation, Sonatype, Vodafone and Zscaler.

Akrites is intended to serve as a shared Security Incident Response Team and a single process for coordinated vulnerability disclosure. The model gives open source maintainers one channel for handling serious flaws, rather than multiple overlapping reports from different organisations.

The effort reflects growing concern across the software industry that advances in artificial intelligence have sharply reduced the time and expertise needed to identify vulnerabilities in widely used code. Open source software underpins systems used by banks, hospitals, power grids, telecoms networks, governments and AI developers, making weaknesses in popular projects an infrastructure issue rather than a niche software problem.

Under the Akrites structure, vulnerabilities would be handled confidentially, with fixes returned to the original projects through the maintainers' own processes. The initiative would also act as maintainer of last resort for critical packages that no longer have active maintainers, aiming to ensure fixes reach current versions in time.

Alpha-Omega, a directed fund of the Linux Foundation, is providing seed funding for the project. Other organisations that contribute engineering support or funding for critical open source security are being invited to join.

Industry concern

The launch comes as companies and public sector bodies grapple with the consequences of AI-assisted security research. Security teams have long used automation to test software, but recent AI systems have raised expectations that far more vulnerabilities can be identified much faster, increasing pressure on those responsible for verifying, patching and disclosing them.

That pressure falls heavily on maintainers of open source projects, many of whom work with limited resources. In practice, one severe flaw in a popular software component can affect thousands of organisations downstream, while fragmented patching efforts can create competing fixes and confusion for users.

Matt Wilson, vice president and distinguished engineer at Amazon Web Services, set out the case for a shared response. "Frontier AI models have given defenders the ability to find and fix vulnerabilities in open source software at a speed and scale that were never possible before. That's an enormous opportunity for defenders, and Akrites ensures we seize it together. Maintainers deserve a coordinated partnership, not a flood of reports. AWS is committed to securing the projects our customers depend on and building this shared infrastructure alongside the community," Wilson said.

Several members framed the issue as a race between discovery and exploitation. "AI has massively compressed the time between vulnerability discovery and exploitation to near real time, which means we have to compress the time from fix to deployment. That's why we at JPMorganChase are helping to build this effort to measure success in patch deployment, not patch publication. We support a mechanism that enables downstream operators of critical infrastructure so that fixes reach real systems before adversaries can turn disclosures into exploits. And upstream, we owe maintainers a single, reliable signal: confirmed vulnerabilities, well-tested proposed fixes, and a predictable partner they can trust, rather than a flood of duplicative, conflicting reports," Opet said.

Upstream focus

A central feature of Akrites is its emphasis on upstream remediation, meaning fixes should be made in the original open source project rather than through private forks or fragmented downstream patches. Participants broadly support that approach, arguing that one agreed fix in a core dependency can reduce risk across entire software ecosystems.

Dan Lorenc, chief executive officer and co-founder of Chainguard, said the main bottleneck is no longer discovery. "The software supply chain is only as strong as the upstream it draws from, and we see how thin that layer really is. As AI finds more vulnerabilities, the industry will rush to patch them. Without coordination, those fixes will fragment across different patches and forks, and maintainers who are already overwhelmed, unreachable, or haven't touched a project in years. Akrites gives the industry one coordinated way to fix vulnerabilities upstream before they're exploited, with maintainers still in control. Now the work is making sure there's always someone on the other end to catch them," Lorenc said.

Microsoft linked the project to earlier industry-backed open source security work. "OpenSSF and Alpha-Omega demonstrated what is possible when industry comes together to strengthen open source security. Building on our experience co-founding these organizations, Akrites was created to address the emerging inflection point of AI-powered vulnerability discovery and defense. As a founding member, Microsoft and GitHub will contribute expertise, resources, and AI technologies to help responsibly identify and fix vulnerabilities across the open source software ecosystem that customers and organizations depend on.*" Russinovich said.

Support from the Rust Foundation also reflected the maintainers' perspective. "For too long, the goodwill and sense of responsibility among upstream maintainers has been taken for granted in security response processes. Akrites promises meaningful coordination with upstream maintainers, financial, and full-time support to find, fix and disclose security vulnerabilities responsibly, and a genuine commitment from the most influential companies across tech and finance to solve this problem. The Rust Foundation looks forward to working with Akrites to develop security that is fit for the future," Rumbul said.

The initiative will use established industry standards and tools for vulnerability handling, including CVE, TLP, CWE, CVSS, EPSS, SSVC and VEX, as it seeks to create a common operating model for companies that often investigate the same software risks in parallel.

Jason Clinton, deputy chief information security officer at Anthropic, said, "Open source projects collectively underpin much of the internet, and the existing model for coordinated disclosure has been outpaced by how quickly AI can now find vulnerabilities. Getting ahead of that requires the industry to coordinate on findings and get fixes upstream before they're disclosed and exploited. Efforts like Akrites drive this level of coordination at the scale and speed this moment requires."