The Linux Foundation, together with a broad coalition of technology companies, financial institutions, and open-source organizations, is launching the Akrites initiative . According to the organizers, AI has accelerated the pace at which vulnerabilities in open-source software are discovered to such an extent that the existing process for reporting and fixing security flaws is no longer sufficient.
To mark the launch, the participants published a joint open letter titled“We All Depend on Open Source. We Will Defend It Together.” In it, they state that the security of widely used open-source projects can now only be maintained through a coordinated approach.
The founders include Amazon Web Services, Anthropic, Cisco, Google, IBM, Microsoft, GitHub, NVIDIA, OpenAI, Red Hat, Vodafone, and JPMorgan Chase, among others. Organizations such as the OpenSSF, CNCF, OpenInfra Foundation, and Rust Foundation are also participating in the initiative.
AI Is Changing the Threat Landscape
According to the Linux Foundation, open source forms the foundation of systems in sectors such as finance, healthcare, energy, telecommunications, transportation, and government services. At the same time, the emergence of advanced AI models means that vulnerabilities can be detected much faster than before.
Whereas security researchers used to need weeks to find a serious vulnerability in a major open-source project, an AI model—according to the initiative’s organizers—can now do so in just a few minutes. This not only shortens the time between discovery and exploitation but also lowers the technical barrier for attackers seeking to exploit such vulnerabilities.
With Akrites, the Linux Foundation aims to prevent dozens of companies from independently analyzing the same software and flooding maintenance teams with separate reports. According to the initiators, this leads to duplication of effort, conflicting patches, and unnecessary delays.
The initiative is therefore establishing a central coordination point and a joint Security Incident Response Team (SIRT). This team is intended to serve as a single point of contact for maintenance teams and to coordinate the handling of vulnerabilities before they are made public.
The organization emphasizes its desire to collaborate with the original developers of projects. Security updates should, as much as possible, be fed back into the source code of the original project. When an essential open-source project no longer has active maintainers, Akrites intends to temporarily act as a “maintainer of last resort” to ensure that security updates are still made available.
Focus on Rapid Deployment
The initiators want to focus not only on developing patches but also on implementing them more quickly. As soon as a security update is made public, attackers can use AI to rapidly analyze the underlying vulnerability and develop exploit code. That is why Akrites wants to collaborate more closely with critical infrastructure administrators to roll out security updates as quickly as possible.
The initiative’s initial funding comes from Alpha-Omega, a Linux Foundation fund focused on the security of critical open-source projects. In addition, the participating organizations are contributing developers, security specialists, and financial resources. The Linux Foundation is also inviting other organizations to join Akrites.