The Linux Foundation has announced Akrites, a new initiative to coordinate vulnerability disclosure and remediation for critical open source software as AI dramatically speeds up vulnerability discovery.
What Happened
Akrites establishes a shared Security Incident Response Team (SIRT) and a single, standardized Coordinated Vulnerability Disclosure (CVD) process, built on confidentiality-first principles and industry-standard tooling. The initiative unites major technology companies, AI labs, financial institutions, and security vendors around a shared mission: to coordinate the remediation of vulnerabilities in widely used open source projects with upstream maintainers before those vulnerabilities can be exploited.
The founding members of Akrites include Amazon Web Services, Anthropic, Chainguard, Cisco, Citi, Endor Labs, Ericsson, Google, IBM, JPMorganChase, Microsoft and GitHub, NVIDIA, OpenAI, RapidFort, Red Hat, Rust Foundation, Sonatype, Vodafone, and Zscaler. These organizations have committed engineering talent, security expertise, and funding to harden the shared open source software that banks, hospitals, power grids, telecoms, governments, and AI labs depend on.
Background and Context
The rapid advancement of artificial intelligence (AI) has significantly accelerated vulnerability discovery in open source software. Frontier AI models can now scan a major open source project and surface vulnerabilities in minutes. This shift has created new challenges for the industry, as attackers who previously lacked the technical expertise to mount sophisticated attacks will have the tools they need to do so quickly.
In the past, security response involved a patchwork of organizations often working on the same problems independently, sometimes shipping conflicting patches or burying maintainers under duplicate reports. Akrites changes this model by providing a single, trusted place to coordinate, remediate and disclose vulnerabilities in open source software.
Why It Matters
The significance of Akrites lies in its potential to mitigate the risks associated with AI-assisted vulnerability discovery. By coordinating the remediation of vulnerabilities in widely used open source projects, Akrites aims to reduce duplicate reports, avoid conflicting patches, and help upstream maintainers address vulnerabilities before they can be exploited.
This initiative is particularly relevant to the adult industry, which relies heavily on open source software for its infrastructure. The industry's platforms and operators often use open source technologies such as Linux, Apache, and MySQL to power their services. As AI continues to advance, the risk of vulnerability discovery and exploitation increases, making initiatives like Akrites crucial for ensuring the security and stability of these critical systems.
What Comes Next
Akrites will provide a shared Security Incident Response Team (SIRT), which will serve as a predictable partner for maintainers rather than a flood of uncoordinated reports. The initiative will also act as a "maintainer of last resort" for abandoned but widely used packages, ensuring that fixes can still be delivered for these critical components.
The Linux Foundation has invited organizations to participate in Akrites and contribute engineering resources or funding to the security of critical open source software. As the industry comes together to address this pressing issue, it remains to be seen whether a coordinated effort like Akrites will be enough to protect open source from AI-assisted attacks.
Key Facts
- Akrites is a new initiative launched by the Linux Foundation to coordinate vulnerability disclosure and remediation for critical open source software.
- The founding members of Akrites include Amazon Web Services, Anthropic, Chainguard, Cisco, Citi, Endor Labs, Ericsson, Google, IBM, JPMorganChase, Microsoft and GitHub, NVIDIA, OpenAI, RapidFort, Red Hat, Rust Foundation, Sonatype, Vodafone, and Zscaler.
- Akrites establishes a shared Security Incident Response Team (SIRT) and a single, standardized Coordinated Vulnerability Disclosure (CVD) process.
- The initiative aims to reduce duplicate reports, avoid conflicting patches, and help upstream maintainers address vulnerabilities before they can be exploited.
- Akrites will act as a "maintainer of last resort" for abandoned but widely used packages.