Akrites: Linux Foundation and 20 firms to patch open-source flaws

The Linux Foundation has launched Akrites, a coordinated industry initiative that will patch vulnerabilities in widely used open-source software alongside maintainers before AI-enabled attackers can exploit them. About twenty tech companies, AI labs, and banks have joined the effort; founding members include Amazon Web Services, Anthropic, Cisco, Citi, Google, IBM, JPMorganChase, Microsoft, NVIDIA, OpenAI, Red Hat, the Rust Foundation, Vodafone, and Zscaler.

What is Akrites and who joined?

Akrites is a shared industry effort, backed by the Linux Foundation and seed funding from Alpha-Omega, that centralizes vulnerability handling for critical open-source projects. The initiative brings roughly 20 organisations together so they stop reporting the same flaws separately and instead funnel issues through a single Security Incident Response Team, or SIRT.

The founding roster spans cloud providers, AI labs, banks and security vendors. The announcement lists Amazon Web Services, Anthropic, Cisco, Citi, Google, IBM, JPMorganChase, Microsoft, NVIDIA, OpenAI, Red Hat, the Rust Foundation, Vodafone, and Zscaler among the initial members.

How will Akrites work?

Akrites will route incoming vulnerability reports to a shared SIRT that vets, deduplicates and coordinates fixes, using established standards such as the CVE identifier system, the CVSS severity framework and the TLP traffic-light protocol. Reports are handled confidentially: every report starts at TLP:RED and only the assigned case team can access details until a patch is ready.

The SIRT will act as a single point of contact for maintainers, reducing duplicate reports and conflicting patches that currently burden volunteer maintainers. Finished fixes will flow back into the original projects on the maintainer's terms. If a critical package no longer has an active maintainer, Akrites says it will step in as a "maintainer of last resort" and ship the needed fix itself so users receive patches in time. The initiative also plans to coordinate with government agencies so private and public defenders move in lockstep.

What problem is Akrites trying to solve?

Akrites targets an acceleration in offensive capability caused by modern AI: models can scan a large project in minutes instead of weeks, exposing flaws far faster and enabling attackers without deep expertise to carry out complex exploits. The result is a patchwork response model today, where many organisations independently scan and report the same packages, sometimes producing conflicting patches and overwhelming maintainers.

Endor Labs CEO Varun Badhwar framed the urgency bluntly: "of thousands of validated open-source vulnerabilities from recent months, fewer than five percent have been patched." Akrites aims to reduce that gap by centralising vetting and disclosure.

Why it matters

Akrites changes who coordinates and confers with maintainers. Centralising triage into a single SIRT reduces duplicate effort and the risk that genuine, exploitable bugs will be lost in noise. The combination of faster code scanning by AI and low patch rates for validated vulnerabilities means the window for attackers to weaponise flaws has narrowed. By making confidentiality and standards like CVE, CVSS and TLP central, Akrites attempts to keep details out of public view until fixes are ready, which could blunt the advantage attackers gain from rapid automated discovery.

What to watch

Watch for the first public examples of the SIRT workflow: how quickly Akrites assigns CVEs, whether maintainers accept patches delivered by the initiative, and the next disclosures that start at TLP:RED. The programme's ability to ship fixes for abandoned projects and to coordinate with government agencies will be the clearest signal that it can close the current patching gap.