The Linux Foundation has introduced Akrites, a strategic initiative launched in partnership with 19 founding organizations—including Amazon, Anthropic, Citi, Google, JPMorganChase, Microsoft, NVIDIA, and OpenAI—to synchronize the patching of critical open-source software before AI-powered attackers can exploit them.
The project addresses a critical acceleration in the threat landscape. Modern frontier AI models can now analyze major open-source projects and identify multiple confirmed vulnerabilities in minutes, a task that previously required weeks of manual effort from expert security researchers. For instance, Claude Opus 4.8 recently identified a critical flaw in Zcash’s Orchard privacy pool within a single day, uncovering a bug that had gone unnoticed through four years of professional cryptographic review.
While these discoveries are beneficial when made by “white hat” researchers, they become dangerous if discovered by malicious actors. Jason Clinton, Deputy CISO at Anthropic, noted that traditional coordinated disclosure models have been outpaced by the speed of AI, necessitating a more streamlined approach to coordinating fixes before vulnerabilities are publicly disclosed and exploited.
Prior to Akrites, the disclosure process was often fragmented and bureaucratic. Multiple organizations would independently scan the same libraries and submit redundant reports, which the founding members described as “burying maintainers under noise.” Endor Labs CEO Varun Badhwar highlighted the severity of the gap, stating that fewer than 5% of the thousands of AI-surfaced open-source vulnerabilities have actually been patched.
Akrites solves this by establishing a single, confidential Security Incident Response Team. This provides maintainers with a predictable point of contact rather than a deluge of uncoordinated alerts. Validated fixes are returned to the original repositories on the maintainers’ terms using industry-standard tracking. In cases where a critical package lacks an active maintainer, Akrites has committed to acting as the maintainer of last resort.
The program’s primary goal is to prevent leaks, as an undisclosed flaw in a widely used package effectively becomes a weapon. Rebecca Rumbul, CEO of the Rust Foundation, emphasized that the goodwill of open-source maintainers has been overlooked for too long, and Akrites will provide the financial and professional support needed to find and fix vulnerabilities responsibly.
Pat Opet, CISO at JPMorganChase, warned that AI has compressed the window between discovery and exploitation to near real-time. This allows adversaries to reverse-engineer patches and develop exploits before downstream systems can even deploy the fix. According to Opet, the true measure of success for this initiative is “patch deployment, not patch publication.”
This effort complements OpenAI’s “Patch the Planet” initiative, launched shortly before Akrites. While Patch the Planet focuses on AI-assisted discovery and delivery—utilizing GPT-5.5-Cyber and Trail of Bits engineers—Akrites serves as the broader coordination layer that routes validated findings across the entire industry. OpenAI Cyber Lead Clint Gibler described securing open source as a “long-term commitment” and noted that Akrites strengthens overall industry coordination.
Initial funding for Akrites is provided by Alpha-Omega, a Linux Foundation directed fund that has awarded over $20 million in grants to open-source security projects since 2022. Other organizations wishing to contribute funding or engineering resources can do so via akrites.org.
Also Read
- Forecasting the upcoming week: US Dollar faces labor market test as NFP takes center stage
- Former Ethereum Foundation Executive Raises Concerns Over Funding Gaps Amid Governance Transition
- Securitize to Raise $400M via SPAC Merger, Sets NYSE Debut Under Ticker SECZ
- Fed’s Kashkari: “I have one rate hike penciled in for 2026”
