Following the flood of vulnerabilities discovered in open-source projects in recent months, the Linux Foundation, in collaboration with leading technology, AI, financial, and cybersecurity companies, has announced Akrites, a new program to improve the reporting, remediation, and disclosure of critical vulnerabilities in open-source software.
The project launches as AI-assisted tools accelerate vulnerability discovery. And while this helps defenders identify issues earlier, it also leads to an influx of reports, many of which are duplicated, incomplete, uncoordinated, or difficult to verify promptly.
In response to all of this, Akrites is establishing a shared Security Incident Response Team and a standardized Coordinated Vulnerability Disclosure process for key open-source projects. The purpose is to ensure serious issues are dealt with responsibly, resolved upstream, and disclosed in a coordinated manner.
According to the Linux Foundation, the initiative is backed by a long list of founding members, including Amazon Web Services, Anthropic, Chainguard, Cisco, Citi, Endor Labs, Ericsson, Google, IBM, JPMorganChase, Microsoft, GitHub, NVIDIA, OpenAI, RapidFort, Red Hat, the Rust Foundation, Sonatype, Vodafone, and Zscaler.
The project addresses the concern that discovery is outpacing traditional open-source response workflows. LLMs and other AI tools enable researchers to scan code and generate reports at scale. However, many FOSS projects are maintained by small teams or individual volunteers who might lack the resources to manage a spike in security reports.
This creates a common bottleneck in open-source security, because discovery is only the first step. Next, issues must be validated, assessed for severity, fixed, coordinated with vendors, assigned CVEs as needed, and disclosed without giving attackers an advantage.
And this is where Akrites steps in, intended to serve as a trusted coordination layer. It will apply confidentiality-first principles and leverage established industry standards and tools, such as CVE, TLP, CWE, CVSS, EPSS, SSVC, and VEX.
Additionally, the project may also serve as a “maintainer of last resort” for critical packages lacking active maintainers. This is significant, as abandoned or under-maintained dependencies are a continual challenge in the open-source supply chain.
It’s worth also noting that the project’s launch coincides with growing concerns about advanced AI models and cybersecurity. Recent restrictions on Anthropic’s Fable 5 and Mythos 5 models underscore fears that frontier AI could accelerate offensive security activities, such as vulnerability discovery and exploit development.
Akrites represents a defensive response: as AI accelerates flaw detection, the open-source community requires improved coordination to address security flaws before they are exploited.
Finally, the project’s success will depend more on effective collaboration with maintainers than on its founding members. If it reduces duplicate reports, improves patch coordination, and accelerates upstream fixes, it has the potential to complement existing open-source security initiatives such as OpenSSF and Alpha-Omega. Only time will tell if that will happen.
For additional details, refer to the Linux Foundation’s announcement.
