Linux Foundation, Tech Giants Launch Akrites to Defend Open Source Against AI-Powered Attacks

The Linux Foundation launched Akrites on Thursday alongside 19 founding organizations—Amazon, Anthropic, Citi, Google, JPMorganChase, Microsoft, NVIDIA, OpenAI, and others—to coordinate the patching of critical open-source software before AI-powered attackers can exploit it.

The initiative addresses a timeline problem that AI has made urgent. Frontier models can now scan a major open-source project and return multiple confirmed vulnerabilities in minutes—work that used to take a skilled security researcher weeks. As Decrypt has reported, Claude Opus 4.8 uncovered a critical flaw in Zcash’s Orchard privacy pool within a day, exposing a bug that had survived four years of cryptographer review.

If white hat hackers find those flaws, everything is ok. If malicious actors do, things can go really messy, really fast. Anthropic Deputy CISO Jason Clinton said in the letter that the existing model for coordinated disclosure “has been outpaced by how quickly AI can now find vulnerabilities”—and that reaching a fix upstream requires coordinating on findings “before they’re disclosed and exploited.”

The coordinated disclosure model that predated Akrites was not built for that speed. Multiple organizations would independently scan the same libraries and go through long bureaucratic processes before fixing bugs—a process that an open letter signed by all 19 founding organizations called burying “the maintainers under noise.”

Endor Labs CEO Varun Badhwar went further: Of the thousands of validated open-source vulnerabilities AI has surfaced in recent months, “fewer than 5% have been patched.”

Akrites replaces that process with a single, confidential Security Incident Response Team—one predictable partner for maintainers rather than a flood of uncoordinated reports. Fixes return to each project’s original repository on maintainers’ terms, using standards for vulnerability tracking. When a critical package has no active maintainer, Akrites commits to stepping in as maintainer of last resort.

The program was built first to prevent leaks—the open letter called an undisclosed flaw in a widely deployed package “a weapon.” Rust Foundation CEO Rebecca Rumbul said the goodwill of open-source maintainers has for too long been taken for granted and this initiative will help them work in coordination.

“Akrites promises meaningful coordination with upstream maintainers, financial, and full-time support to find, fix and disclose security vulnerabilities responsibly, and a genuine commitment from the most influential companies across tech and finance to solve this problem,” she said.

JPMorganChase CISO Pat Opet outlined what success actually requires for the effort. “AI has massively compressed the time between vulnerability discovery and exploitation to near real time,” Opet said—meaning adversaries can reverse-engineer a published patch and build a working exploit before many downstream systems have deployed the fix.

Success, per Opet, is “patch deployment, not patch publication.”

OpenAI had launched its own parallel effort, Patch the Planet, three days before Akrites—a first sprint using GPT-5.5-Cyber and Trail of Bits engineers across 19 open-source projects that merged dozens of patches. OpenAI Cyber Lead Clint Gibler called securing open source “a long-term commitment” for the company and said Akrites helps “strengthen coordination across the industry.”

Though similar, the two efforts differ in scope: Patch the Planet focuses on AI-assisted discovery and patch delivery with expert human review; Akrites builds the coordination layer that routes validated findings upstream across the industry.

Alpha-Omega, a Linux Foundation directed fund, will provide seed funding for Akrites. The fund has issued over 70 grants totaling more than $20 million to open-source security projects since 2022. Other organizations can join by contributing engineering resources or funding at akrites.org.