The Akrites Project: Inside the Largest Coordinated Open Source Security Initiative in History

#security #ai #cybersecurity #opensource

The Short Answer

On June 25, 2026, the Linux Foundation launched Akrites, the largest coordinated open source security initiative in history. Uniting 19 founding members—including AWS, Google, Microsoft, OpenAI, Anthropic, NVIDIA, JPMorganChase, and Cisco—Akrites creates a shared Security Incident Response Team (SIRT) and standardized disclosure process to defend open source software against AI-powered vulnerability discovery. With AI models now finding critical flaws in minutes rather than weeks, and fewer than 5% of discovered vulnerabilities getting patched, the initiative represents the tech industry's most ambitious attempt to defend the open source commons at machine speed.

The Crisis: AI Can Find Vulnerabilities Faster Than Anyone Can Patch Them

Frontier AI models have fundamentally changed the timeline of vulnerability discovery. What used to take an expert security researcher weeks now takes a machine minutes, and often the AI returns multiple confirmed vulnerabilities in a single pass. The result is a flood that the open source ecosystem was never designed to handle.

The numbers are stark. Endor Labs CEO Varun Badhwar reports that of thousands of validated open source vulnerabilities surfaced in recent months, fewer than 5% have been patched. The OpenInfra Foundation logged 20 security advisories in Q2 2026 alone—compared to just 2 in all of 2025—a tenfold surge driven overwhelmingly by AI-powered scanning.

The most dramatic example came when Claude Opus 4.8 discovered a critical vulnerability in Zcash's Orchard protocol that had survived four years of cryptographer review—in a single day. As the Akrites Open Letter puts it: "An undisclosed flaw in a widely deployed package is a weapon."

This crisis builds on trends TekMag has covered—the scale of attacks like FortiBleed and AI-powered cybersecurity playbooks.

What Is Akrites?

Akrites is not a tool or platform. It is a coordination layer designed to solve a coordination problem with a shared Security Incident Response Team (SIRT) and Coordinated Vulnerability Disclosure (CVD) process integrating CVE, CWE, CVSS, EPSS, SSVC, VEX, and TLP.

Maintainer of Last Resort

If a critical open source package has an unpatched vulnerability and its maintainers are unresponsive, Akrites can step in to fix it directly—the initiative's most controversial element.

The Unprecedented Coalition

Cloud rivals: AWS, Google, Microsoft (and GitHub)
AI competitors: OpenAI and Anthropic at the same table
Financial institutions: JPMorganChase, Citi
Infrastructure: NVIDIA, Cisco, Ericsson, Vodafone, IBM, Red Hat, Zscaler
Security specialists: Chainguard, Endor Labs, Sonatype, RapidFort
Open source foundations: The Rust Foundation

JPMorganChase CISO Pat Opet: "The success of our efforts will be measured in patch deployment, not publication."

Skepticism and Governance Concerns

The Hacker News community met Akrites with intense skepticism. "The commons cannot be in the hands of for-profit companies," wrote one commenter. The "maintainer of last resort" clause was viewed by some as a governance threat.

"I yearn for the day I see a headline like 'We All Depend on Open Source. We Will Fund It Together,'" wrote Hacker News user seanclayton.

Even skeptics acknowledged the tension: "Attackers aren't known for following laws."

The Bigger Picture: A Wave of Initiatives

Three days before Akrites, OpenAI announced "Patch the Planet" —an AI-assisted vulnerability sprint across 19 projects using GPT-5.5-Cyber and Trail of Bits. The Rust Foundation's CEO Rebecca Rumbul described Akrites as promising "meaningful coordination with upstream maintainers."