The Linux Foundation has officially launched Akrites, an ambitious industry-wide initiative designed to shield critical open-source projects from the accelerating wave of vulnerabilities being uncovered by AI and large language models. The project brings together heavy hitters including Amazon Web Services, Anthropic, Google, Microsoft and GitHub, NVIDIA, OpenAI, Red Hat, and dozens more in a coordinated effort to ensure that security holes discovered at machine speed get patched before malicious actors can weaponize them.

The AI Vulnerability Problem

LLMs have fundamentally changed the threat landscape for open-source maintainers. Where researchers once spent weeks or months manually auditing code, AI systems can now systematically scan repositories, identify potential exploits, and generate proof-of-concept attacks in hours—or even minutes. This has created a dangerous asymmetry: vulnerabilities are being discovered faster than human maintainers—many of whom volunteer their time—can respond to them. Akrites aims to close that gap by providing infrastructure and coordination that individual projects simply cannot build on their own.

How Akrites Works

At its core, the initiative establishes a shared Security Incident Response Team (SIRT) and a standardized Coordinated Vulnerability Disclosure (CVD) process built on confidentiality-first principles. Bug fixes flow back to each project's original home, respecting maintainer autonomy while ensuring patches actually land in production code. Perhaps most critically, for critical packages that have no active maintainer—a situation more common than most users realize—Akrites will serve as what they're calling a 'maintainer of last resort,' getting security fixes into the latest versions so everyone benefits in a timely fashion.

Big Tech Backs the Effort

The roster of initial backers reads like a who's who of the tech industry. Beyond the usual suspects, you'll find financial sector heavyweights JPMorganChase and Citi alongside telecommunications players Ericsson and Vodafone, plus specialized security firms like Chainguard, Zscaler, Sonatype, RapidFort, Endor Labs, and the Rust Foundation. The involvement of Anthropic and OpenAI is particularly notable—these are companies whose own AI systems may be partially responsible for accelerating vulnerability discovery in the first place. The initiative will also coordinate with government efforts to ensure public and private defenders move in concert.

Key Takeaways

  • Akrites creates a shared Security Incident Response Team (SIRT) and standardized Coordinated Vulnerability Disclosure process
  • Will act as 'maintainer of last resort' for abandoned or under-resourced critical open-source packages
  • 20+ major companies backing the effort, including AI developers Anthropic and OpenAI
  • Bug fixes return to original projects on maintainers' terms, preserving community ownership

The Bottom Line

This is the kind of coordinated action that FOSS has needed for years but couldn't organize. Whether it succeeds depends entirely on whether these companies actually commit resources when it matters—not just at launch. If Akrites can keep critical infrastructure from falling through the cracks while respecting open-source governance, this could be a genuine turning point in how we handle AI-era security.