Summary
- On Thursday, the Linux Foundation unveiled Akrites, backed by 19 founding organizations, aimed at addressing critical vulnerabilities in open-source software before they can be exploited by AI-driven attacks.
- According to Endor Labs' CEO Varun Badhwar, less than 5% of the numerous open-source vulnerabilities identified by AI in recent months have been resolved.
- Akrites seeks to bridge the existing coordination gap in vulnerability remediation.
The Linux Foundation has officially launched Akrites in collaboration with 19 founding members, including Amazon, Anthropic, Citi, Google, JPMorgan Chase, Microsoft, NVIDIA, OpenAI, among others. This initiative aims to facilitate the timely patching of significant open-source software vulnerabilities before they can be exploited by AI-enabled attackers.
This initiative responds to an urgent challenge posed by AI, which can now rapidly scan major open-source projects and identify multiple confirmed vulnerabilities in a matter of minutes—tasks that previously required weeks of work by skilled security researchers. For instance, as reported by Decrypt, the AI model Claude Opus 4.8 detected a critical issue in Zcash's Orchard privacy pool in just one day, revealing a bug that had persisted unnoticed for four years.
If ethical hackers discover such vulnerabilities, the situation is manageable. However, if they fall into the hands of malicious actors, the consequences can be severe, as highlighted in a report by CrowdStrike. Anthropic's Deputy CISO, Jason Clinton, commented that the current coordinated disclosure model has been outpaced by AI's speed in finding vulnerabilities, emphasizing the need for coordination on findings before they are publicly disclosed and exploited.
The previous coordinated disclosure model was not designed to handle the rapid pace of AI discoveries. Various organizations would independently scan the same libraries and navigate lengthy bureaucratic procedures before addressing bugs—a process described in an open letter signed by all 19 founding organizations as overwhelming for maintainers.
Varun Badhwar, CEO of Endor Labs, noted that of the thousands of confirmed open-source vulnerabilities identified by AI in recent months, "fewer than 5% have been patched."
Akrites aims to streamline this process by establishing a single, confidential Security Incident Response Team, providing a reliable partner for maintainers instead of a barrage of uncoordinated reports. Fixes will be integrated into each project's original repository on the maintainers' terms, adhering to established standards for tracking vulnerabilities. In cases where a critical package lacks an active maintainer, Akrites will assume the role of last-resort maintainer.
The program was initially developed to prevent information leaks; the open letter referred to an undisclosed flaw in a widely used package as "a weapon." Rebecca Rumbul, CEO of the Rust Foundation, stated that the goodwill of open-source maintainers has been taken for granted for too long, and this initiative will enhance their collaborative efforts.
“Akrites offers meaningful coordination with upstream maintainers, alongside financial and full-time support to responsibly find, fix, and disclose security vulnerabilities, along with a sincere commitment from leading companies in tech and finance to tackle this issue,” Rumbul explained.
JPMorgan Chase's CISO, Pat Opet, clarified what success looks like for this initiative: "AI has significantly shortened the time between when a vulnerability is discovered and when it can be exploited, nearly to real-time." This means that adversaries can reverse-engineer a released patch and create a functioning exploit before many downstream systems can implement the fix.
According to Opet, success is defined as "patch deployment, not patch publication."
Just three days prior to the launch of Akrites, OpenAI initiated its own parallel project, Patch the Planet—a rapid response effort utilizing GPT-5.5-Cyber and engineers from Trail of Bits across 19 open-source projects to consolidate dozens of patches. Clint Gibler, OpenAI's Cyber Lead, stated that securing open-source is a "long-term commitment" for the company and that Akrites plays a crucial role in enhancing industry-wide coordination.
While both initiatives share similarities, they differ in their scope: Patch the Planet centers on AI-assisted discovery and patch delivery with expert human oversight, whereas Akrites focuses on establishing a coordination framework that channels validated findings upstream across the industry.
Alpha-Omega, a fund directed by the Linux Foundation, will provide initial funding for Akrites. Since 2022, this fund has awarded over 70 grants, amounting to more than $20 million, to various open-source security projects. Additional organizations can participate by contributing engineering resources or funding through akrites.org.