Akrites is a new Linux Foundation initiative built around a simple problem: open-source security work is becoming harder to coordinate at the exact moment AI tools are making vulnerability discovery faster. About 20 tech companies, AI labs and banks are joining the effort to help fix flaws in critical open-source software before attackers can move first.
The group is designed to replace scattered vulnerability reporting with a single, confidential response process. Its goal is not only to find problems, but to help the right fixes reach users without overwhelming maintainers or leaking sensitive details too early.
Why Akrites is being launched now
The Linux Foundation has announced Akrites as a coordinated industry initiative focused on security flaws in widely used open-source software. Founding members include Amazon Web Services, Anthropic, Cisco, Citi, Google, IBM, JPMorganChase, Microsoft, NVIDIA, OpenAI, Red Hat, the Rust Foundation, Vodafone, and Zscaler.
The urgency comes from a shift in how quickly software flaws can be found. According to the source article, modern AI models can scan a large project in minutes instead of weeks. That speed changes the balance between defenders and attackers, because the same capabilities that help security teams can also help less experienced attackers build more sophisticated exploits.
Open-source projects often sit at the center of modern software supply chains. When a widely used package has a serious flaw, the impact can reach many organizations at once. Akrites is meant to shorten the path between discovering a real issue and getting a reliable patch into the original project.
The current reporting model is too noisy
The Linux Foundation describes today’s open-source security response model as patchwork. Many organizations scan the same packages separately, then send overlapping reports to maintainers. In some cases, they may also submit conflicting fixes for the same underlying issue.
That creates a practical burden for project maintainers. Instead of receiving one clear, validated report, maintainers can be forced to sort through duplicates and noise. The problem becomes sharper as AI-generated vulnerability reports increase, because real, exploitable bugs can be harder to separate from low-quality findings.
Endor Labs CEO Varun Badhwar underscored the scale of the gap: of thousands of validated open-source vulnerabilities from recent months, fewer than five percent have been patched. That figure is central to the case for Akrites. Finding more flaws is not enough if the ecosystem cannot reliably turn validated findings into shipped fixes.
How the shared response team works
At the center of Akrites is a shared Security Incident Response Team, or SIRT. The team is meant to act as one reliable point of contact for open-source maintainers, rather than forcing them to respond to dozens of separate organizations reporting similar issues.
The SIRT has three core jobs:
- Vet incoming vulnerability reports before they reach maintainers.
- Filter out duplicate findings so projects receive clearer information.
- Coordinate fixes with the people responsible for the affected software.
Akrites uses Coordinated Vulnerability Disclosure, a standardized process for handling security reports confidentially. The initiative builds on established systems including CVE identifiers, the CVSS severity scoring framework and the TLP traffic-light protocol for controlling who can access sensitive information.
Confidentiality is a major part of the design. Every report begins at TLP:RED, the highest classification level, and only the assigned case team can access it. The purpose is to reduce the risk that details of a flaw become public before a patch is ready.
Maintainers stay in control of fixes
Akrites is not framed as a replacement for open-source maintainers. Finished fixes are intended to flow back into the original project on the maintainer’s terms. That matters because open-source governance depends on project maintainers retaining control over what changes enter their codebases.
The initiative also addresses a harder case: critical packages that no longer have an active maintainer. Volunteer-run projects can lose maintainers over time, even when the software remains important to many users. For those situations, Akrites plans to act as a maintainer of last resort and ship the needed patch itself.
That fallback role is meant to prevent critical fixes from stalling simply because no active maintainer is available. It also gives users of abandoned but important projects a path to receive security updates in time.
What comes next for Akrites
Akrites is beginning with seed funding from Alpha-Omega, a directed fund under the Linux Foundation. The initiative is also inviting other organizations to contribute engineering resources or funding.
The project plans to coordinate with government agencies as well, so private and public defenders can work in lockstep. That coordination reflects the broader nature of open-source risk: when critical open-source software is vulnerable, the affected users are not limited to one company or sector.
The larger message is that AI changes the tempo of security work. If AI models can help uncover vulnerabilities much faster, defenders need a process that can validate, prioritize and patch at similar speed. Akrites is the Linux Foundation’s attempt to make that response more organized, more confidential and less burdensome for the maintainers who keep open-source software running.