AI can now scan major open-source projects and surface a batch of real, exploitable vulnerabilities in a single pass. That's a defensive win — until you remember attackers have the same tools.
Anthropic, Google, Microsoft, OpenAI, AWS, and 15 other organizations aren't waiting for that race to get worse. On Thursday they launched Akrites under the Linux Foundation — a coordinated body built specifically for AI-era vulnerability discovery, remediation, and disclosure in critical open-source software.
What actually changed
- A shared Security Incident Response Team (SIRT) replaces the fragmented model where multiple orgs independently scan the same libraries, file duplicate CVEs, and bury maintainers in noise
- Patch first, publish second — findings are held under strict confidentiality until a fix is ready and tested
- Fallback maintainer coverage — if a project has no active maintainer, Akrites steps in so fixes still reach downstream users
- Funded by Alpha-Omega, an OpenSSF project with $7M+ annual budget backed by the same founding members
- Three membership tiers — Premier (critical infra operators), General (contributing orgs), Associate (OSS foundations, free)
The name comes from the Akritai — Byzantine soldiers who guarded the empire's outermost borders. The places most exposed, most frequently attacked, and most dependent on whoever showed up to defend them.
The problem it's actually solving
The current coordinated disclosure model was designed around a world where finding vulnerabilities took weeks of expert work. AI has collapsed that timeline.
Endor Labs CEO Varun Badhwar put a number on it: thousands of validated open-source vulns surfaced by AI in recent months, with fewer than 5% patched. And the old model makes it worse — every org independently sitting on knowledge of an unpatched flaw is another leak risk before a fix exists.
"For years, we have believed finding vulnerabilities was never the hard part. Fixing them was. AI has made that gap impossible to ignore." — Varun Badhwar, Endor Labs
Anthropic's deputy CISO Jason Clinton framed the structural problem: coordinated disclosure hasn't kept up with how fast AI finds problems. Getting patches upstream before disclosure — not after — is the whole bet.
The context: why now
Anthropic's own cybersecurity models are part of the backstory. In early June, Anthropic released Fable 5 and Mythos 5 — the first generally available models built specifically for security defense. Three days later, the US government suspended them after researchers demonstrated they could assist with cyberattacks.
That's the exact threat model Akrites is designed around. Defenders and attackers have identical AI access. The answer isn't better models in isolation — it's faster, coordinated patching.
What to do
- Using open-source packages in production? This matters to you — the packages you depend on should see faster patching cycles as Akrites scales
- Working in security at a company building on OSS? Membership is open now — General tier is for orgs that want to contribute without committing large engineering resources
- Maintaining a critical open-source project? Akrites is positioning itself as the single trusted inbound channel for AI-discovered vuln reports — one signal instead of dozens duplicate reports
Sources: The New Stack · Linux Foundation announcement · Akrites
✏️ Drafted with KewBot (AI), edited and approved by Drew.
Top comments (1)
Are these the guys who nuked Unisuper's infra?