The explosive growth of artificial intelligence is transforming software security in ways few organizations anticipated. While AI gives defenders powerful new capabilities to identify vulnerabilities, it also enables attackers to discover security flaws at unprecedented speed and scale. Concerned that the open source ecosystem is no longer equipped to keep pace with this new reality, the Linux Foundation and a coalition of leading technology companies have launched Akrites, a coordinated initiative designed to find, fix, and responsibly disclose vulnerabilities in critical open source software before they can be exploited.
The initiative brings together an unusually broad alliance of organizations, including Amazon Web Services, Anthropic, Cisco, Google, IBM, JPMorganChase, Microsoft, GitHub, NVIDIA, OpenAI, Red Hat, Sonatype, Vodafone, Zscaler, and several other technology and security companies. Rather than each organization independently reporting vulnerabilities to project maintainers, Akrites aims to establish a single, coordinated process that reduces duplication, improves communication, and accelerates remediation across the software supply chain.
The launch reflects a growing concern within the cybersecurity community: AI has dramatically shortened the time between vulnerability discovery and potential exploitation. Tasks that once required experienced security researchers weeks of manual analysis can now be performed by advanced AI models in minutes. This shift has fundamentally altered the balance between defenders and attackers, creating a situation where maintainers of widely used open source projects struggle to respond quickly enough to the growing volume of vulnerability reports.
One of the primary problems Akrites seeks to solve is fragmentation. Today, multiple organizations often discover the same vulnerability independently and contact maintainers separately, sometimes proposing different fixes or generating duplicate reports. For maintainers—many of whom are volunteers or work with limited resources—this flood of uncoordinated disclosures can delay remediation rather than accelerate it. Akrites introduces a shared Security Incident Response Team (SIRT) and a standardized Coordinated Vulnerability Disclosure (CVD) process to centralize communication and reduce unnecessary operational overhead.
Confidentiality is another cornerstone of the initiative. Rather than publicly disclosing vulnerabilities immediately after discovery, participating organizations will coordinate privately with project maintainers to validate issues, develop patches, and prepare fixes before technical details become available. This approach is intended to reduce the opportunity for threat actors to weaponize newly discovered vulnerabilities before organizations have time to deploy updates.
Akrites also addresses a longstanding weakness in the open source ecosystem: abandoned or undermaintained projects. Critical libraries and components often remain widely deployed long after active maintenance has slowed or ceased entirely. In situations where no maintainer is available, Akrites plans to act as a maintainer of last resort, helping coordinate security fixes so that vulnerable software can continue receiving updates instead of leaving users exposed indefinitely.
The initiative focuses particularly on software that underpins critical infrastructure. Open source components form the foundation of modern banking platforms, healthcare systems, telecommunications networks, cloud services, energy providers, government infrastructure, and artificial intelligence platforms. A single vulnerability in one widely adopted library can impact thousands of organizations simultaneously, making coordinated remediation increasingly important as software supply chains continue to expand.
Artificial intelligence plays a dual role within the project. While AI has contributed to the acceleration of vulnerability discovery, the participating organizations also intend to leverage advanced AI models to help defenders identify, validate, and prioritize vulnerabilities more efficiently. The objective is to ensure that defensive capabilities evolve at least as quickly as offensive techniques, preventing attackers from gaining a lasting advantage through automation alone.
Industry leaders involved in Akrites argue that success should no longer be measured solely by how quickly vulnerabilities are disclosed. Instead, the more meaningful metric is how rapidly security patches reach production environments before attackers can develop working exploits. This philosophy reflects a shift away from disclosure-focused security practices toward remediation-focused collaboration that prioritizes protecting downstream users over publishing vulnerability information as quickly as possible.
Akrites also builds upon previous Linux Foundation security efforts, including Alpha-Omega and the Open Source Security Foundation (OpenSSF), by adding an operational layer dedicated specifically to coordinated incident response. Seed funding for the initiative comes from Alpha-Omega, while participating organizations contribute engineering resources, security expertise, and financial support to sustain the effort over the long term.
As AI continues to compress the timeline from vulnerability discovery to exploitation, collaborative initiatives like Akrites may become essential for protecting the software supply chain. Rather than competing to discover vulnerabilities first, many of the world’s largest technology companies are signaling that defending critical open source infrastructure requires unprecedented levels of cooperation. In an era where a single AI model can uncover multiple vulnerabilities in minutes, coordinated defense may prove to be just as important as technological innovation itself.