Linux Foundation: Open Source Gears Up Against AI in Cybersecurity

Linux Foundation: Open Source Arms Itself Against AI in Cybersecurity

Finding a critical vulnerability in an open source project used to take weeks of work and specialized expertise. A good AI model can accomplish the same task in just a few minutes. The Linux Foundation has decided that this needs to change.

On June 25, the foundation launched Akrites, a coordination initiative bringing together AWS, Anthropic, Cisco, Google, IBM, JPMorgan Chase, Microsoft, NVIDIA, OpenAI, Red Hat, Vodafone, and about twenty other organizations. The mission: to create a common space for the detection, correction, and responsible disclosure of vulnerabilities in the most critical open source software. The initial funding is provided by Alpha-Omega, a fund directly linked to the Linux Foundation, the same fund that received $12.5 million from the same coalition in March 2026 to enhance the security of the open source ecosystem.

A Structural Problem That AI Has Made Urgent

The imbalance between the value derived from open source and the resources dedicated to securing it is not new. Global codebases depend on 95% open source software, with 86% of contributors receiving no compensation. Recent history illustrates how this equation can deteriorate.

• In 2014, Heartbleed revealed that OpenSSL, a critical infrastructure of the global internet, was maintained by just one full-time maintainer and received less than $2,000 in annual donations.

• In 2024, the backdoor in XZ Utils represented an even more alarming scenario: a malicious actor infiltrated a project for two years, gained the trust of an isolated maintainer, and installed a backdoor rated CVSS 10/10, the highest score, targeting millions of Linux servers.

At the same time, AI has begun complicating the defenders' tasks even before assisting attackers. The maintainer of the cURL project shut down its bug reporting program in early 2026: about 95% of the reports received in 2025 were hallucinations from language models. Coding agents inundate maintainers with false positives, consuming the little human bandwidth available to sort through legitimate alerts. The case of sudo, the utility that controls privilege escalation on millions of servers, is telling in this regard: Todd C. Miller has maintained this tool alone since 1993 and found himself without a sponsor after Quest Software withdrew in early 2024.

This same structural funding imbalance drives projects to multiply endowment funds and donation appeals, with highly variable results. Ludovic Dubost, founder of CryptPad, put it very directly: if we want free software, we need to pay for it. The companies that derive the most value from the ecosystem are precisely those that have long contributed the least to securing it.

Akrites: A New Crutch or a Real Solution?

The initiative is based on three pillars:

• A shared security incident response team (SIRT) among all members, serving as a single point of contact for reports. This ends the current situation where the same maintainer sometimes receives ten identical reports from ten different organizations, each with its own patch recommendation.

• A standardized process for coordinated disclosure, built on a principle of confidentiality first: fixes return to the original project, on the maintainer's terms, before any public disclosure.

• A "last resort maintainer" mechanism for critical packages that no longer have an active maintainer, a category that the ecosystem tends to significantly underestimate.

The same organizations had already put $12.5 million in March 2026 via Alpha-Omega to bolster open source security. The logic is starting to close: funding on one side, coordination on the other. Akrites, using this same fund as a catalyst, constitutes the operational piece that was missing from the setup.

The European Dimension That No One Mentions

The member organizations of Akrites are predominantly American in their headquarters. However, the software they commit to securing powers hospitals, electrical grids, telecommunications, and administrations across Europe, including the information systems of French public services and infrastructures covered by the NIS2 directive. The European Cyber Resilience Act, currently being rolled out, will impose security obligations throughout the lifecycle of digital products, including those incorporating open source components. Akrites is one of the concrete industrial responses to this regulatory requirement, even if the foundation does not frame it this way.

One question remains that the initiative has not yet resolved. The speed of correction only matters if users deploy the patch. Dan Lorenc, CEO of Chainguard and founding member, explicitly admits: the bottleneck is no longer discovery; it is correction and its effective deployment. And less than 5% of validated open source vulnerabilities in recent months have been fixed in production systems. It is this part of the equation that Akrites has not yet addressed.