Linux Foundation Debuts Akrites to Speed Up Open Source Vulnerability Fixes

The Linux Foundation introduced Akrites on Thursday together with 19 founding organizations to organize the repair of serious open source weaknesses ahead of exploitation by AI-enabled adversaries.

Akrites forms a dedicated security response team for open source. Founding participants include Amazon, Anthropic, Citi, Google, JPMorganChase, Microsoft, NVIDIA, OpenAI and additional entities. The project establishes one confidential Security Incident Response Team that serves as a reliable contact for maintainers, replacing the previous deluge of separate notifications from various groups.

Repairs are contributed back to each project's native repository according to the preferences of its maintainers and following established vulnerability tracking protocols. Should a vital package lack an active maintainer, Akrites pledges to assume the role of maintainer of last resort.

AI has accelerated vulnerability discovery beyond current coordination models. Advanced models can now examine a large open source codebase and identify several verified issues within minutes, a task that formerly demanded weeks from experienced security analysts. As Decrypt has reported, Claude Opus 4.8 detected a critical flaw in Zcash's Orchard privacy pool inside one day, revealing a defect that had persisted through four years of examination by cryptographers.

Anthropic Deputy CISO Jason Clinton stated in the open letter that the prior coordinated disclosure framework "has been outpaced by how quickly AI can now find vulnerabilities" and that upstream repairs demand alignment on discoveries "before they're disclosed and exploited." Earlier workflows often resulted in separate teams reviewing identical libraries through extended administrative steps prior to resolution.

Fewer than 5% of AI-surfaced vulnerabilities have been patched. Endor Labs CEO Varun Badhwar reported that of the thousands of validated open source flaws surfaced by AI during recent months, "fewer than 5% have been patched." The letter endorsed by all 19 founding organizations described the former method as one that buries maintainers "under noise."

Rust Foundation CEO Rebecca Rumbul observed that the goodwill of open source maintainers has been presumed for too long, and the new project will enable better coordinated efforts among them. She added that Akrites "promises meaningful coordination with upstream maintainers, financial, and full-time support to find, fix and disclose security vulnerabilities responsibly, and a genuine commitment from the most influential companies across tech and finance to solve this problem."

Success metric shifts from patch publication to deployment. JPMorganChase CISO Pat Opet explained that AI has greatly shortened the interval between flaw identification and exploitation to nearly instantaneous levels. Consequently, opponents may analyze a released patch and create a functional attack before numerous downstream users have implemented the correction.

Opet declared that true success consists of "patch deployment, not patch publication." OpenAI introduced its separate initiative, Patch the Planet, three days prior to Akrites. That project employed GPT-5.5-Cyber along with Trail of Bits engineers on 19 open source projects and integrated dozens of repairs.

OpenAI Cyber Lead Clint Gibler described securing open source as "a long-term commitment" for the firm and noted that Akrites helps "strengthen coordination across the industry." Although the programs overlap, Patch the Planet centers on AI-supported identification plus patch application backed by specialist human oversight, whereas Akrites constructs the underlying coordination framework.