Linux Foundation and 20 tech giants launch Akrites to fix open-source flaws before AI-powered attacks hit

2026-06-26 · Source: The Decoder · Field: Technology & Digital — Cybersecurity & Data Privacy, Artificial Intelligence & Machine Learning, Software Development & Engineering · Depth: Fundamental Awareness, quick

Summary

On June 26, 2026, the Linux Foundation, alongside approximately 20 tech companies, AI labs, and banks, launched Akrites, an initiative to proactively address security flaws in critical open-source software. Founding members include Amazon Web Services, Anthropic, Google, Microsoft, NVIDIA, and OpenAI. Akrites aims to counter the growing threat of AI models rapidly identifying vulnerabilities, which could empower even non-experts to launch sophisticated attacks. The initiative establishes a shared Security Incident Response Team (SIRT) to centralize and vet vulnerability reports, replacing the current fragmented disclosure system. This team coordinates fixes using standardized processes like Coordinated Vulnerability Disclosure, CVE, CVSS, and TLP:RED, ensuring confidentiality. For projects lacking active maintainers, Akrites will act as a "maintainer of last resort," shipping necessary patches directly. Initial funding is provided by Alpha-Omega, a Linux Foundation fund.

Key takeaway

For AI Security Engineers managing open-source software supply chain risks, Akrites represents a crucial evolution in vulnerability management. You should integrate its coordinated disclosure process into your organization's security protocols. Prioritize contributing engineering resources or funding to support this centralized industry effort. This proactive engagement is essential to mitigate the heightened risk of AI-accelerated exploits against unpatched open-source vulnerabilities, ensuring your systems remain secure against emerging threats.

Key insights

AI-powered vulnerability discovery necessitates a coordinated, confidential, and centralized open-source security response.

Principles

• Coordinated vulnerability disclosure enhances open-source security.
• Centralized incident response streamlines patch deployment.
• Confidentiality is paramount for pre-patch vulnerability handling.

Method

Akrites establishes a shared Security Incident Response Team (SIRT) to confidentially vet incoming vulnerability reports, filter duplicates, and coordinate fixes with maintainers, or apply patches directly for abandoned projects, following Coordinated Vulnerability Disclosure standards.

In practice

• Report open-source flaws to a centralized SIRT for vetting.
• Adopt Coordinated Vulnerability Disclosure for critical projects.
• Support "maintainer of last resort" initiatives for abandoned code.

Topics

• Open-source Security
• AI-powered Attacks
• Vulnerability Management
• Akrites Initiative
• Coordinated Disclosure
• Supply Chain Security

Best for: CTO, VP of Engineering/Data, Executive, AI Security Engineer, Security Engineer, Director of AI/ML

Related on AIssential

• Linux Foundation and Industry Leaders Launch Akrites to Defend Critical Open Source Software Against AI-Enabled Cyber Threats — Akrites coordinates industry efforts to secure critical open source software against AI-accelerated vulnerabilities through a unified response.
• OpenAI Is Sending Security Engineers to Fix the Internet’s Most Neglected Code — AI can effectively augment human security engineers to proactively identify and fix critical open-source vulnerabilities.
• The Air-Gapped Chronicles: The Model Zoo Ambush — When Your ‘Pretrained’ AI Ships the Attack — AI supply chain attacks exploit opaque model artifacts and lack of provenance, necessitating rigorous security measures beyond traditional AppSec.
• Given Enough Agents, All Bugs Become Shallow — AI agents are rapidly advancing offensive security capabilities, enabling faster vulnerability discovery and exploit generation.
• AI-Accelerated Software Security Vulnerability Discovery: Is Hardware Next? — Frontier AI has mastered software vulnerability discovery, and hardware security is its next, inevitable target.
• Our latest investment in open source security for the AI era — Industry leaders are investing $12.5 million and AI tools to proactively secure open source against AI-driven threats.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by The Decoder.