The Linux Foundation launched Akrites, a new industry initiative that aims to coordinate the discovery, remediation, and responsible disclosure of vulnerabilities in critical open source software as AI dramatically accelerates vulnerability discovery. The effort brings together major technology companies, AI developers, financial institutions, telecommunications providers, and cybersecurity firms to establish a shared Security Incident Response Team (SIRT) and a unified Coordinated Vulnerability Disclosure (CVD) process. Founding participants include Amazon Web Services, Anthropic, Cisco, Ericsson, Google, IBM, JPMorganChase, Microsoft, NVIDIA, OpenAI, Red Hat, Vodafone, Zscaler and numerous other organizations.
Akrites addresses a growing challenge created by frontier AI models, which can now analyze large open source codebases and identify security flaws in minutes rather than weeks. Rather than allowing dozens of organizations to independently report and patch the same vulnerabilities, Akrites provides a single coordination point that works directly with upstream maintainers using established industry frameworks including CVE, CWE, CVSS, EPSS, SSVC, VEX and the Traffic Light Protocol (TLP). The initiative also plans to coordinate with government cybersecurity efforts and will act as a “maintainer of last resort” when critical software projects no longer have active maintainers.
The initiative receives initial funding from Alpha-Omega, a directed fund of the Linux Foundation, and invites additional organizations to contribute engineering resources or financial support. Alongside the launch, the founding members published an open letter titled “We All Depend on Open Source. We Will Defend It Together,” emphasizing that AI has fundamentally changed the economics of software vulnerability discovery and requires a coordinated industry response to ensure patches reach critical infrastructure before vulnerabilities become widely exploited.
• Launches a shared Security Incident Response Team (SIRT) for critical open source projects.
• Creates a standardized, confidentiality-first Coordinated Vulnerability Disclosure (CVD) process.
• Coordinates vulnerability remediation before public disclosure and exploitation.
• Supports upstream maintainers rather than distributing competing or duplicate patches.
• Uses established security frameworks including CVE, CWE, CVSS, EPSS, SSVC, VEX and TLP.
• Coordinates with government cybersecurity initiatives.
• Serves as maintainer of last resort for abandoned but widely deployed open source packages.
• Seed funding provided by Linux Foundation’s Alpha-Omega program.
• Founding participants span cloud providers, AI companies, networking vendors, financial institutions and security companies.
Jim Zemlin, Executive Director of the Linux Foundation, said the initiative reflects a new security reality in which AI dramatically compresses the timeline between vulnerability discovery and potential exploitation, making coordinated industry response essential to protecting the open source software underpinning critical infrastructure worldwide.
🌐 Analysis
Akrites represents one of the broadest industry security collaborations launched in response to AI-assisted software development and security research. Unlike previous open source security efforts that focused primarily on vulnerability discovery or software supply chain transparency, Akrites concentrates on coordinating remediation before vulnerabilities become public. The participation of hyperscalers, frontier AI developers including Anthropic and OpenAI, networking companies such as Cisco and Ericsson, financial institutions including JPMorganChase and Citi, and infrastructure vendors including NVIDIA reflects growing recognition that AI is compressing the window between vulnerability discovery and active exploitation.
