Akrites: Linux Foundation and 18 Industry Giants Join Forces to Defend Open Source From AI-Powered Attacks
On June 25, 2026, the Linux Foundation announced Akrites โ an unprecedented coalition of 18 of the world's largest technology and financial institutions, united by a single mission: patch open source vulnerabilities before attackers' AI finds them.
The name comes from the Akritai โ the Byzantine Empire's frontier guardians, stationed where threats arrived first and defenses were thinnest. In modern software, that frontier is upstream: the open source projects everything depends on. Akrites is the industry standing that watch together.
Why Now?
A serious open source vulnerability used to take an expert weeks to find. Today, a frontier AI model can scan a major project and surface vulnerabilities in minutes.
This is not hypothetical. We've seen the real-world consequences:
- Claude Mythos discovered over 10,000 CVEs in a single month
- GPT-5.5-Cyber, used by OpenAI and Trail of Bits, automatically patches open source vulnerabilities in the Patch the Planet initiative
- AI vulnerability scanners are being commercialized at breakneck speed
The problem isn't that AI finds vulnerabilities โ it's that our ability to patch them can't keep up.
The Alarming Number: Less Than 5% Get Patched
Varun Badhwar, CEO of Endor Labs (a founding Akrites member), cited a sobering figure:
"Of the thousands of validated open source vulnerabilities surfaced in recent months, fewer than 5% have been patched."
In other words: AI is finding vulnerabilities at least 20 times faster than the community can fix them. That gap can't be closed by "trying harder" โ it requires a completely new model.
How Akrites Works
Akrites is not a new vulnerability scanner. It is a coordination layer on top of existing tools.
One Front Door for Maintainers
Right now, when multiple organizations scan the same library, a maintainer receives the same vulnerability described five different ways from five different reporters. They must manually triage which reports are real and which are "AI noise" โ model-generated alerts that aren't actually exploitable.
Akrites changes this with a shared Security Incident Response Team (SIRT):
- Intake: Every finding enters through a single channel, at TLP:RED (visible only to the case team)
- Deduplicate & Validate: SIRT merges duplicates, validates severity, assigns ownership
- Remediate: Coordinates with upstream maintainers to create patches through a standardized Coordinated Vulnerability Disclosure (CVD) process
- Synchronized Disclosure: The fix publishes to the original repository namespace โ no forks, no fragmented patches
Maintainer of Last Resort
A critical detail: if an important package has no active maintainer, Akrites steps in as temporary maintainer to ensure fixes reach all users. This is the first initiative at this scale to make that commitment explicit.
Security via TLP 2.0
All vulnerability information is protected under the Traffic Light Protocol (TLP) 2.0, with analysis infrastructure running on isolated secure enclaves. Analysts work through secured virtual machines, with access gated by processing phase. The goal: no third party learns about a vulnerability before the patch is ready.
Who's Behind Akrites?
The 18 founding members read like a who's-who of the tech industry:
| Group | Members |
|---|---|
| Cloud & Infra | AWS, Google, Microsoft/GitHub, Red Hat |
| AI Labs | Anthropic, OpenAI, NVIDIA |
| Finance | Citi, JPMorganChase |
| Telecom | Cisco, Ericsson, Vodafone |
| Security | Chainguard, Endor Labs, RapidFort, Sonatype, Zscaler |
| Open Source | Rust Foundation |
The simultaneous presence of all three major AI labs (Anthropic, OpenAI, NVIDIA) alongside direct competitors (AWS, Google, Microsoft) in the same initiative is extraordinarily rare. It signals the severity of the problem โ even fierce rivals recognize that open source is a commons no one can afford to see compromised.
What This Means for Developers
1. Time-to-Patch Will Drop Dramatically
Instead of waiting weeks for a solo maintainer to triage a report, critical vulnerabilities will be handled by a dedicated SIRT within days โ sometimes hours. For developers running popular libraries in production, this is a direct security improvement.
2. Less Alert Fatigue from Scanning Tools
If your organization uses tools like Dependabot, Snyk, or Chainguard โ the flood of duplicate and AI-generated false positive alerts will thin out as Akrites handles centralized triage and validation.
3. Small Projects Get Better Protection
"Invisible" libraries โ packages with millions of downloads but a single maintainer โ are prime attack targets. Akrites explicitly commits to not overlooking these projects, especially when they're transitive dependencies of critical infrastructure.
4. A New Coordination Model for Open Source Security
Akrites doesn't replace existing programs like MITRE/CVE, FIRST, or Glasswing โ it integrates with them. Those efforts focus on finding vulnerabilities; Akrites focuses on coordinating the response once they're found. This is the missing piece in the open source security landscape.
Open Questions
Despite the promise, several questions remain unanswered:
- Specific funding: Alpha-Omega provides seed funding, but no public figure has been disclosed. The actual resource scale will determine processing speed.
- Prioritization criteria: How do you decide which projects get triaged first? The specific criteria haven't been published.
- Sustainability: Similar past initiatives (like the Core Infrastructure Initiative after Heartbleed) often lost momentum after a few years. Will Akrites be different?
The Bottom Line
Akrites is the most organized response yet to the reality that AI has fundamentally shifted the balance between attackers and defenders in open source. Instead of leaving individual maintainers to face the flood of AI-generated vulnerability reports alone, the tech industry is pooling resources โ from AI labs, cloud providers, banks, to security vendors.
The question is no longer "Can AI find vulnerabilities faster?" โ that answer is clear. The question now is: can coordinated remediation keep pace with AI-powered discovery?
With Akrites, the defenders finally have an answer worth betting on.
Content assisted by AI (Amy ๐ธ). Reviewed by the author.
Related Posts
The Verification Bottleneck: Why AI Generates Code Too Fast for Us to Patch
AI found 12 zero-days in OpenSSL, but curl had to kill its bug bounty program due to AI-generated spam. Welcome to the era of the verification bottleneck.
AI Hunts Security Vulnerabilities: 10,000+ CVEs Found in 1 Month with Claude Mythos
Anthropic found over 10,000 critical security vulnerabilities in open-source software in one month. The AI bug-hunting era has arrived.
AI Bot Spam Is Killing Open Source: A Story From Archestra
A Y Combinator startup received 253 spam comments from AI bots on a single issue, and 27 untested PRs for one feature. This is a real problem every maintainer faces today.