Open-source security gets a “nuclear umbrella”: Akrites project officially launched

The Linux Foundation, together with more than 20 tech giants including OpenAI, Anthropic, Microsoft, and Google, has launched the Akrites Project to establish a shared security response team and a unified vulnerability disclosure process, specifically aimed at addressing the open-source security crisis brought about by the rapid vulnerability discovery capabilities of large AI models.
Open-Source Security Gets a “Nuclear Umbrella”: The Akrites Project Officially Launches
Yesterday, the Linux Foundation announced a major development: it has joined forces with more than 20 tech giants including Amazon, Anthropic, OpenAI, Microsoft, Google, NVIDIA, and Red Hat to launch the Akrites Project.
This is not just another “symbolic alliance.” Akrites aims to solve a rapidly worsening problem — AI is finding security vulnerabilities faster than the open-source community can patch them.
The Core Problem: The Growing Imbalance Between Offense and Defense
In recent years, large language models (LLMs) have made tremendous strides in code understanding and generation. This has led to an unexpected side effect — using LLMs to discover vulnerabilities has become extremely efficient.
Traditionally, vulnerability discovery relied on security researchers manually auditing code or running fuzzing tools, which could be time-consuming. A seasoned researcher might take weeks to audit a medium-sized open-source project. Now, you can feed a snippet of code into Claude or GPT-4, and within minutes, it can flag potential buffer overflows, SQL injections, or privilege bypasses. There are false positives, of course, but the efficiency gain is orders of magnitude higher.
What does this mean?
Attackers can now use AI to automatically scan popular open-source projects on GitHub for vulnerabilities.
Meanwhile, defenders — the developers maintaining critical infrastructure like the Linux kernel, OpenSSL, curl, and log4j — are still the same small teams with the same limited time.
The speed gap is widening. The core goal of the Akrites Project is to add weight to the defensive side of this unbalanced scale.

What Akrites Will Actually Do
According to information released by the Linux Foundation, Akrites consists of three main components:
1. Shared Security Incident Response Team (SIRT)
This is the most crucial part of Akrites.
In the past, security response across open-source projects was highly fragmented. When a vulnerability was discovered, a researcher had to locate the project maintainer’s contact info, send an email, wait for a reply, discuss a fix, and coordinate disclosure timelines. If the maintainer was on vacation, had switched jobs, or the project was abandoned, the vulnerability could remain exposed for months.
Akrites plans to establish a “shared fire brigade.” When AI systems or security researchers find vulnerabilities in critical open-source software, they can directly report them to Akrites’ SIRT. This team can:
- Quickly assess the severity of a vulnerability
- Coordinate fixes with the original maintainers
- Step in to patch directly if the maintainers are unresponsive
- Manage disclosure timelines in a unified manner
The last point is particularly important. If a project no longer has active maintainers, Akrites will act as the “maintainer of last resort,” ensuring patches are delivered to users in time.
This addresses a long-standing pain point in open-source security: many libraries that underpin critical infrastructure are hobby projects for individual developers who neither have the obligation nor the capacity to provide 24/7 security support.
2. Unified Coordinated Vulnerability Disclosure (CVD) Process
Akrites will implement a standardized vulnerability disclosure process based on a “confidentiality-first” principle.
It might sound similar to traditional responsible disclosure, but Akrites’ value lies in its ability to apply it at scale. It will:
- Use industry-standard tools (rather than every project having its own system)
- Manage disclosure timelines centrally
- Ensure patches flow back into official project repositories
- Collaborate with government agencies (e.g., CISA) to enable public-private coordination
For developers, this means no more learning a dozen different reporting procedures. For enterprise users, it means more predictable and timely security updates for their critical dependencies.
3. AI-Assisted Proactive Defense
Since attackers are using AI to find vulnerabilities, defenders must use AI too.
The Akrites Project will harness AI/LLM technologies to proactively scan key open-source software to detect and fix vulnerabilities before they are exploited. It’s effectively an “AI vs AI” arms race, and Akrites’ goal is to ensure the good actors’ AI runs faster than the malicious ones.
Of course, there’s a subtle issue: if handled improperly, AI-discovered vulnerabilities could themselves become attack vectors. That’s why confidentiality is crucial — vulnerabilities found by Akrites will remain strictly private until fixed.
The Participants: The “Avengers” of the Tech Industry
Here’s a look at Akrites’ initial supporters:
Cloud and Infrastructure:
- Amazon AWS
- Microsoft (including GitHub)
- IBM
- Red Hat
AI Companies:
- OpenAI
- Anthropic
- NVIDIA
Financial Institutions:
- JPMorgan Chase
- Citigroup
Telecom and Enterprises:
- Cisco
- Ericsson
- Vodafone
Security and Supply Chain Companies:
- Chainguard
- Endor Labs
- RapidFort
- Sonatype
- Zscaler
Open-Source Foundations:
- Rust Foundation
This lineup covers nearly the entire tech industry chain. Interestingly, both OpenAI and Anthropic — the two leading AI labs — are on board. Their models are both part of the problem (used to find vulnerabilities) and part of the solution (used for defense).
The participation of financial institutions is also noteworthy. JPMorgan and Citigroup conduct trillions of dollars’ worth of transactions daily on open-source software, so their emphasis on open-source security is no surprise.
Why Now?
Open-source security is not a new topic. Incidents like Heartbleed (2014) and Log4Shell (2021) already sounded the alarm. But Akrites’ timing now has deeper reasons.
The LLM Capability Threshold
Since 2024, major LLMs have made a qualitative leap in code comprehension. Claude 3.5 Sonnet, GPT-4o, and Gemini 1.5 Pro have demonstrated strong code auditing abilities. Give them complex C code, and they can identify subtle integer overflows, race conditions, or use-after-free errors.
This was impossible just a year ago. Now it’s reality.
Security researchers are already experimenting with AI-assisted vulnerability discovery, yielding promising results. While few cases are public, many discussions are happening privately. In a sense, Akrites is a formal response to this growing trend.
Rising Regulatory Pressure
The EU’s Cyber Resilience Act (CRA) and the U.S. CISA’s Open Source Security Roadmap are both putting pressure on the open-source world, demanding more timely vulnerability disclosures and fixes.
The problem is, regulators don’t always understand how open source works. A maintainer might be a part-time developer coding after work — you can’t expect them to deliver enterprise-level SLAs.
In this sense, Akrites is an act of self-preservation for the open-source community — building a robust response system before regulation forces one upon it. It’s a much smarter move than waiting passively.
The Shadow of Supply Chain Attacks
The 2024 xz-utils backdoor incident — where an attacker spent two years infiltrating a project to insert a backdoor — rocked the entire industry. It revealed the open-source supply chain’s fragility: critical infrastructure may rely on small, unaudited projects vulnerable to takeover.
Akrites’ “maintainer of last resort” role is designed specifically to counter such risks. If a key project’s maintainers vanish or turn malicious, Akrites can step in.
Potential Challenges
Of course, Akrites is no silver bullet. Some obvious challenges remain:
Scope of Coverage
There are millions of open-source projects; Akrites can’t cover them all. It will have to focus on “critical” ones — but who decides what qualifies as critical? The criteria itself will be contentious.
Community Acceptance
The open-source community is naturally wary of projects dominated by big corporations. Since Akrites is backed by major tech firms, will it become their tool? Could it compromise open-source independence? These concerns are legitimate.
The Linux Foundation emphasized that vulnerabilities will ultimately be resolved and released through the original maintainers, at their own pace. This is meant to calm fears, though whether it holds true in practice remains to be seen.
The Nature of the Speed Race
Using AI to find and patch vulnerabilities is ultimately an arms race. Attackers’ AIs are improving too — and while attackers only need to find one flaw, defenders must patch them all. This asymmetry won’t disappear because of Akrites.
What Akrites can do is shorten the window from detection to patch, reducing the exploitable period. It cannot eliminate the problem entirely — nothing can.
What It Means for Developers
If you’re a developer using open-source software, Akrites may affect you in the following ways:
Faster Security Updates: Vulnerability fixes in critical open-source projects should arrive more quickly. When a dependency releases a security patch, it’ll be more urgent to upgrade — since AI may already be exploiting the vulnerability in the wild.
A Unified Reporting Process: If you discover a vulnerability in an open-source project, Akrites provides a single reporting channel without the hassle of hunting down maintainers.
Supply Chain Confidence: For projects that rely heavily on open-source components, Akrites provides an added safety net. Those “popular yet unmaintained” libraries will now have someone backing them up.
If you maintain an open-source project, the implications are more nuanced. On one hand, Akrites SIRT provides support so you’re not alone during security incidents. On the other, you’ll need to coordinate with Akrites, which may introduce some procedural requirements.
Overall, it’s a net positive for the ecosystem.
The Bigger Picture in AI Security
It’s worth noting that Akrites is not an isolated move. A new collaborative landscape in AI security is rapidly taking shape.
Just this week, AI red-teaming platform startup Armadin announced partnerships with CrowdStrike and Palo Alto Networks, focusing on how AI models lower the barrier to cyberattacks. This complements Akrites’ focus — both address the same trend from different angles: AI is reshaping the balance of power between attackers and defenders.
While Akrites focuses on defensive measures for open-source software, Armadin focuses on proactively testing AI systems themselves. Together, they sketch out a more complete AI security defense perimeter.
Conclusion
The launch of Akrites is a landmark event in open-source security. For the first time, it brings together tech giants, financial institutions, security firms, and open-source foundations at this scale to tackle the new class of security threats driven by AI.
This isn’t the end — it’s the beginning. AI’s ability to find vulnerabilities will continue to evolve, and the cat-and-mouse game will go on. But at least, the open-source community is no longer fighting alone.
With Akrites, when the next Log4Shell-type incident emerges, the response should be much faster. And those “three-years-unmaintained yet widely used” libraries will finally have someone to look after them.
That’s enough.
References
- ITHome: Linux Foundation, Anthropic, OpenAI, and others launch the “Akrites” project – First Chinese-language report, includes basic project info
- iThome: AI Red Team platform startup Armadin announces partnership with two major security companies – Related developments in the AI security field



