Linux Foundation and Tech Giants Launch Akrites

Linux Foundation and Tech Giants Launch Akrites

The Linux Foundation and around 20 tech companies have launched the Akrites initiative to protect open-source software vulnerabilities from AI-powered attacks.

As AI models can scan code in minutes and provide even non-experts with tools for complex attacks, Akrites replaces the current vulnerability reporting system, which lacks coordination. A central team will confidentially review reports and coordinate fixes. For abandoned projects, the initiative will take it upon itself to deliver the necessary patches.

About twenty tech companies, AI labs, and banks are joining forces through Akrites to fix vulnerabilities in critical open-source software before AI tools can exploit them. The Linux Foundation announced Akrites as a coordinated industry initiative to address security flaws in widely used open-source software, in collaboration with maintainers, before attackers can take advantage of them. Founding members include Amazon Web Services, Anthropic, Cisco, Citi, Google, IBM, JPMorgan Chase, Microsoft, NVIDIA, OpenAI, Red Hat, Rust Foundation, Vodafone, and Zscaler.

The reason for this initiative is a shift in the balance of power: finding and fixing serious bugs in open-source code previously required comparable expertise on both sides. Modern AI models can now scan a large project in minutes instead of weeks, exposing vulnerabilities much more quickly. Once these capabilities become widely available, even attackers without deep technical skills gain access to tools for sophisticated exploits.

The Linux Foundation describes the current security response model as a patchwork. Many organizations independently scan the same packages, report the same results multiple times, and sometimes deliver conflicting patches. Maintainers find themselves overwhelmed by duplicates, while actual exploitable bugs get lost in the noise generated by AI. Varun Badhwar, CEO of Endor Labs, expressed the urgency of the situation: among thousands of validated open-source vulnerabilities in recent months, less than five percent have been fixed.

A Shared Response Team Instead of Hundreds of Separate Reports

At the heart of Akrites is a shared Security Incident Response Team (SIRT). It acts as a single, reliable point of contact for open-source project maintainers, instead of dozens of organizations independently reporting the same flaws. The team reviews incoming reports, filters out duplicates, and then coordinates fixes.

Akrites employs a standardized process for confidential vulnerability disclosure, known in the industry as Coordinated Vulnerability Disclosure. This relies on established standards such as the CVE identification system, the CVSS severity rating framework, and the TLP (Traffic Light Protocol) that governs who can see what. Confidentiality is crucial: each report starts at the TLP:RED level, the highest classification level, and only the assigned case team can access it. Thus, details about a vulnerability do not leak before a fix is ready.

Maintainers Retain Control Even in Their Absence

Completed patches return to the original project under the maintainer's terms, allowing developers to maintain control. When a critical package no longer has an active maintainer—a common issue with volunteer-managed projects—Akrites plans to step in as a last-resort maintainer and deliver the patch itself, ensuring that the fix reaches all users in time. The initiative also aims to coordinate with government agencies so that private and public defenders advance in concert.

Initial funding comes from Alpha-Omega, a fund managed under the Linux Foundation. Other organizations wishing to contribute engineering resources or funds are invited to join the initiative.