Open source software projects are getting a new framework for handling security vulnerabilities as AI shortens the time between flaw discovery and exploitation.
The Linux Foundation has launched Akrites, an industry initiative that brings together technology companies, financial institutions, security vendors, AI companies, and open source projects to support the remediation and disclosure of vulnerabilities affecting widely used open source software. Akrites aims to establish a common process for addressing security issues in software used across critical infrastructure and enterprise environments.
A shared approach to vulnerability response
Akrites establishes a shared Security Incident Response Team (SIRT) and a Coordinated Vulnerability Disclosure (CVD) process. Participating organizations will use common workflows and industry-standard tools to exchange vulnerability information, manage remediation, and coordinate disclosures until fixes are available.
The project focuses on software used in sectors including finance, healthcare, telecommunications, energy, government, and AI infrastructure. Many of these projects are maintained by small teams, even though their software is used by thousands of organizations.
“Open source powers the systems we rely on every day, running everything from banks and hospitals to power grids and AI platforms. As frontier AI accelerates vulnerability discovery, the risk has grown too large for any one organization to address alone. That’s why an ecosystem approach is critical, bringing the community, technology providers, and enterprises together to ensure vulnerabilities are addressed at the speed required,” Jamie Thomas, Enterprise Security Executive at IBM, explained.
Founding members include Amazon Web Services, Anthropic, Cisco, Citi, Endor Labs, Ericsson, GitHub, Google, IBM, JPMorganChase, Microsoft, NVIDIA, OpenAI, Red Hat, Sonatype, Vodafone, and Zscaler.
AI is changing vulnerability management
In an open letter published alongside the launch, the founding organizations said AI is accelerating vulnerability discovery and exploit development. They added that many open source maintainers lack the resources to keep up, increasing the need for a shared approach to vulnerability handling across the software ecosystem.
“Frontier AI models have given defenders the ability to find and fix vulnerabilities in open source software at a speed and scale that were never possible before. That’s an enormous opportunity for defenders, and Akrites ensures we seize it together. Maintainers deserve a coordinated partnership, not a flood of reports. AWS is committed to securing the projects our customers depend on and building this shared infrastructure alongside the community,” said Matt Wilson, Vice President and Distinguished Engineer at Amazon Web Services.
Akrites provides operational support from vulnerability reporting through public disclosure. The project includes procedures for receiving reports, assigning response teams, managing remediation, communicating with affected organizations, and preparing security advisories before vulnerabilities are disclosed publicly.
Building on existing security initiatives
Akrites builds on existing Linux Foundation security efforts. Alpha-Omega funds security improvements for critical open source projects and supports maintainers. The Open Source Security Foundation (OpenSSF) develops security initiatives, standards, and tooling for the open source ecosystem. It adds a coordinated incident response capability focused on handling vulnerabilities before public disclosure.
Mark Russinovich, Azure Chief Technology Officer, Deputy Chief Information Security Officer, and Technical Fellow at Microsoft, said OpenSSF and Alpha-Omega demonstrated how industry collaboration can strengthen open source security. He said Akrites builds on that work to address the growing impact of AI-powered vulnerability discovery and defense. As a founding member, Microsoft and GitHub will contribute expertise, resources, and AI technologies to help identify and fix vulnerabilities across the open source software ecosystem.
Organizations that can contribute engineering resources, security expertise, or funding are invited to participate in the initiative.
Leave A Comment