Linux Foundation and tech giants launch Akrites to defend open source against AI-powered attacks

Linux Foundation Fired Akrites on Thursday joined forces with 19 enterprise organizations — Amazon, Anthropic, Citi, Google, JPMorganChase, Microsoft, NVIDIA, OpenAI, and others — to coordinate patching critical open source software before AI-enabled attackers can exploit it.

The initiative addresses a timeline problem made urgent by artificial intelligence. Frontier models can now scan a large open source project and return multiple confirmed vulnerabilities in minutes – work that used to take skilled security researchers weeks. Also decrypt And I mentionedClaude Opus 4.8 exposed a critical flaw in Zcash’s Orchard privacy suite within a day, revealing a bug that had survived four years of review by crypto designers.

If white hat hackers find these flaws, all is well. If malicious actors do, things can get really messy. Really fast. Vice President of IT Jason Clinton said in the letter that the current model of coordinated detection “has been outpaced by the speed with which AI can now find vulnerabilities” — and that arriving at an early resolution requires coordination on findings “before they are disclosed and exploited.”

The coordinated disclosure model that preceded Akritis was not built so quickly. Many institutions will independently check the same libraries and go through long bureaucratic processes before fixing errors – a process that cannot be resolved Open letter It was signed by all nineteen founding organizations under the title Burying “Moderators Under the Noise.”

Varun Badhwar, CEO of Endor Labs, goes further: of the thousands of verified open source vulnerabilities that have emerged in AI in recent months, “less than 5% have been patched.”

Akrites replaces this process with a single, confidential security incident response team – a predictable partner for administrators rather than a stream of uncoordinated reports. Fixes are returned to the original repository for each project according to the maintainers’ terms, using vulnerability tracking standards. When a critical package does not have an active maintainer, Akrites is obligated to step in as a maintainer of last resort.

The software was first created to prevent leaks — and the open letter described the undisclosed flaw in the widely circulated package as a “weapon.” The goodwill of open source maintainers has been taken for granted for too long, and this initiative will help them work in concert, said Rebecca Rumball, CEO of the Rust Foundation.

“Akrites promises meaningful coordination with upstream maintainers, financial backing and full-time support to find, fix and disclose vulnerabilities in a responsible manner, and a real commitment from the most influential companies across technology and finance to solve this problem,” she said.

Pat Opt, chief information security officer at JPMorganChase, explained what it will actually take for these efforts to succeed. “AI has dramatically compressed the time between discovery of vulnerabilities and exploitation to near real-time,” Aubit said, meaning adversaries can reverse engineer a deployed patch and build exploits before many end systems deploy the fix.

Success, according to Opet, is “patch deployment, not patch deployment.”

Limitations of OpenAI Fired Its parallel effort, Patch the Planet, is three days ahead of Akrites — the first sprint using GPT-5.5-Cyber ​​and Trail of Bits engineers across 19 open source projects that have integrated dozens of patches. Clint Giebler, president of OpenAI Cyber, called securing open source a “long-term commitment” for the company and said Akrites helps “foster cross-industry coordination.”

Although similar, the efforts differ in scope: Patch the Planet focuses on AI-assisted discovery and patch delivery with expert human review; Akrites is building the coordination layer that drives validated results across the industry.

Alpha-Omega, a fund directed by the Linux Foundation, will provide seed funding for Akrites. The fund has issued more than 70 grants totaling more than $20 million for open source security projects since 2022. Other organizations can join by contributing engineering resources or funding at akrites.org.