Linux Foundation and 20 tech giants launch Akrites to fix open-source flaws before AI-powered attacks hit

Key Points

• The Linux Foundation and roughly 20 technology firms have started the Akrites project to secure open-source software from AI-driven threats.
• Because AI models can now scan code quickly and help non-experts launch complex attacks, Akrites replaces the current uncoordinated way of reporting security issues.
• A central group will check reports privately and organise repairs. For projects without owners, the initiative will release the patches itself.

Approximately twenty technology companies, AI laboratories, and banks are combining forces through Akrites to address weaknesses in critical open-source software before attackers can use them.

The Linux Foundation has announced Akrites, a coordinated industry effort to patch security flaws in widely used open-source software alongside maintainers before attackers can exploit them. Founding members include Amazon Web Services, Anthropic, Cisco, Citi, Google, IBM, JPMorganChase, Microsoft, NVIDIA, OpenAI, Red Hat, the Rust Foundation, Vodafone, and Zscaler.

The motivation is a shift in the balance of power. Finding and fixing serious bugs in open-source code used to require comparable expertise on both sides. Modern AI models can now scan a large project in minutes instead of weeks, exposing flaws far faster. Once those abilities are widely available, even attackers without deep technical skills get the tools for sophisticated exploits.

The Linux Foundation describes the current security response model as patchwork. Many organisations scan the same packages independently, report the same findings multiple times, and sometimes deliver conflicting patches. Maintainers get buried under duplicates while real, exploitable bugs get lost in AI-generated noise. Endor Labs CEO Varun Badhwar put the urgency in sharp terms: of thousands of validated open-source vulnerabilities from recent months, fewer than five percent have been patched.

One shared response team instead of a hundred separate reports

At the core of Akrites is a shared Security Incident Response Team (SIRT). It acts as a single, reliable point of contact for open-source project maintainers instead of dozens of organisations independently flagging the same flaws. The team vets incoming reports, filters out duplicates, and then coordinates fixes.

Akrites uses a standardised process for confidential vulnerability disclosure, known in the industry as Coordinated Vulnerability Disclosure. It builds on established standards like the CVE identifier system, the CVSS severity scoring framework, and the TLP traffic-light protocol that governs who gets to see what. Confidentiality is central: every report starts at TLP:RED, the highest classification level, and only the assigned case team can access it. That way, details about a flaw do not leak before a patch is ready.

Maintainers keep control even when there are none left

Finished fixes flow back into the original project on the maintainer’s terms keeping developers in control. When a critical package no longer has an active maintainer – a common problem with volunteer-run projects – Akrites plans to step in as a “maintainer of last resort” and ship the fix itself, so the patch reaches all users in time. The initiative also plans to coordinate with government agencies so private and public defenders move in lockstep.

Seed funding comes from Alpha-Omega, a directed fund under the Linux Foundation. Other organisations that want to contribute engineering resources or funding are invited to join.