Amazon Web Services, Anthropic, Chainguard, Cisco, Citi, Endor Labs, Ericsson, Google, IBM, JPMorganChase, Microsoft and GitHub, NVIDIA, OpenAI, RapidFort, Red Hat, Rust Foundation, Sonatype, Vodafone and Zscaler join coordinated effort to find, fix and responsibly disclose vulnerabilities in open source software the world runs on

Summary

• The Linux Foundation, joined by leading organizations, today announced Akrites, a coordinated effort to remediate and disclose vulnerabilities in critical open source software.
• Akrites establishes a shared Security Incident Response Team (SIRT) and a single, standardized Coordinated Vulnerability Disclosure (CVD) process, built on confidentiality-first principles and industry-standard tooling.
• Founding members commit engineering talent, security expertise and funding to harden the shared open source software that banks, hospitals, power grids, telecoms, governments, and AI labs depend on.
• Organizations that contribute engineering resources or funding to the security of critical open source are invited to participate and can learn more at https://akrites.org.

SAN FRANCISCO, June 25, 2026 /PRNewswire/ -- The Linux Foundation, the nonprofit organization enabling mass innovation through open source, today announced Akrites, a coordinated industry effort to harden the world's most critical open source software in the era of AI-assisted vulnerability discovery. Backed by founding commitments from Amazon Web Services, Anthropic, Chainguard, Cisco, Citi, Endor Labs, Ericsson, Google, IBM, JPMorganChase, Microsoft and GitHub, NVIDIA, OpenAI, RapidFort, Red Hat, Rust Foundation, Sonatype, Vodafone and Zscaler, the initiative unites major technology companies, AI labs, financial institutions, and security vendors around a shared mission: to coordinate the remediation of vulnerabilities in widely used open source projects with upstream maintainers before those vulnerabilities can be exploited.

Open source software underpins virtually every layer of the modern digital economy, from banking and healthcare to energy, transportation, telecommunication, and government. Akrites enables industry coordination to support and defend critical infrastructure users and consumers of open source. Previously, finding and fixing serious flaws in open source software demanded comparable expertise from attackers and defenders alike. Today, frontier AI models can scan a major open source project and surface vulnerabilities in minutes. Once access to these capabilities is broadly available, bad actors who previously lacked the technical expertise to mount sophisticated attacks will have the tools they need to do so quickly.

To mark the launch, the founding signatories published a joint open letter to the technology industry, "We All Depend on Open Source. We Will Defend It Together." The full letter is available at https://akrites.org/letter/.

In the past, security response involved a patchwork of organizations often working on the same problems independently, sometimes shipping conflicting patches or burying maintainers under duplicate reports. Akrites changes that model. The initiative provides a single, trusted place to coordinate, remediate and disclose, with a shared SIRT serving as a predictable partner for maintainers rather than a flood of uncoordinated reports. Akrites commits to working with critical infrastructure to support patch deployment before vulnerable systems can be targeted.

Confidentiality is central to the effort. Bug fixes flow back into each project's original home, on maintainers' terms. Where a critical package has no active maintainer, Akrites will serve as maintainer of last resort so fixes to the latest version reach everyone in a timely fashion. The initiative will also coordinate with government efforts so public and private defenders move together.

Alpha-Omega, a directed fund of the Linux Foundation, will provide seed funding to support Akrites. Other organizations that contribute engineering resources or funding to the security of critical open source are invited to participate. To learn more or to join, visit https://akrites.org.

Supporting Quotes
"Frontier AI models have given defenders the ability to find and fix vulnerabilities in open source software at a speed and scale that were never possible before. That's an enormous opportunity for defenders, and Akrites ensures we seize it together. Maintainers deserve a coordinated partnership, not a flood of reports. AWS is committed to securing the projects our customers depend on and building this shared infrastructure alongside the community."
– Matt Wilson, Vice President and Distinguished Engineer, Amazon Web Services

"Open source projects collectively underpin much of the internet, and the existing model for coordinated disclosure has been outpaced by how quickly AI can now find vulnerabilities. Getting ahead of that requires the industry to coordinate on findings and get fixes upstream before they're disclosed and exploited. Efforts like Akrites drive this level of coordination at the scale and speed this moment requires."
– Jason Clinton, Deputy Chief Information Security Officer, Anthropic

"The software supply chain is only as strong as the upstream it draws from, and we see how thin that layer really is. As AI finds more vulnerabilities, the industry will rush to patch them. Without coordination, those fixes will fragment across different patches and forks, and maintainers who are already overwhelmed, unreachable, or haven't touched a project in years. Akrites gives the industry one coordinated way to fix vulnerabilities upstream before they're exploited, with maintainers still in control. Now the work is making sure there's always someone on the other end to catch them."
– Dan Lorenc, CEO and Co-founder, Chainguard

"Finding a serious open source vulnerability used to take an expert weeks. It now takes a machine minutes. When maintainers lose that race, so does everyone else. No single company, no single maintainer, and no single government can close that gap alone. That is why Cisco is bringing its networking infrastructure, security expertise, and decades of open source contribution to Akrites - because defenders cannot afford to lose, and maintainers cannot be left to run this alone."
– Vijoy Pandey, SVP and GM, Outshift by Cisco

"Advances in AI models have significantly reduced the effort required to discover and exploit vulnerabilities. In partnership with the Linux Foundation and Project Akrites, Citi is committed to supporting the open-source ecosystem by helping to build a framework that identifies and remediates vulnerabilities and shares proposed patches. Focused on securing critical infrastructure, this initiative is a key part of our efforts to help the industry mitigate emerging threats."
– Al Tarasiuk, Chief Information Security Officer, Citi

"For years we have believed finding vulnerabilities was never the hard part. Fixing them was. AI has made that gap impossible to ignore. Of the thousands of validated open source vulnerabilities surfaced in recent months, fewer than 5% have been patched. Endor Labs is a founding member of Akrites because it is built for the response this moment needs: coordinated remediation upstream, handled confidentially, with maintainers in control, so one trusted fix reaches everyone who depends on the code."
– Varun Badhwar, CEO and Co-Founder, Endor Labs

"Vulnerability discovery is now moving at a speed that overwhelms both the maintainers who sustain open source projects and the users who rely on them. Uncoordinated reporting, patching, and disclosure create friction, putting the entire ecosystem at risk. No single organization can solve this alone. That is why Ericsson is joining Akrites as a Premier member, contributing funding and talent to a shared effort to keep open source software secure and thriving."
– Mikko Karikytö, Chief Product Security Officer, Ericsson

"As AI accelerates both the scale and speed of vulnerability discovery, defending the open source ecosystem requires an equally rapid, coordinated response. By joining Akrites, we are combining Google's long-standing commitment to open source security with industry-wide expertise to ensure that vulnerabilities are found, fixed, and responsibly disclosed before they can be exploited. Safeguarding the software that powers the world's critical infrastructure is essential to maintaining trust in our digital future."
– Heather Adkins, Vice President Security Engineering, Google

"Open source powers the systems we rely on every day—running everything from banks and hospitals to power grids and AI platforms. As frontier AI accelerates vulnerability discovery, the risk has grown too large for any one organization to address alone. That's why an ecosystem approach is critical, bringing the community, technology providers, and enterprises together to ensure vulnerabilities are addressed and at the new speed required today."
– Jamie Thomas, Enterprise Security Executive, IBM

"AI has massively compressed the time between vulnerability discovery and exploitation to near real time, which means we have to compress the time from fix to deployment. That's why we at JPMorganChase are helping to build this effort to measure success in patch deployment, not patch publication. We support a mechanism that enables downstream operators of critical infrastructure so that fixes reach real systems before adversaries can turn disclosures into exploits. And upstream, we owe maintainers a single, reliable signal: confirmed vulnerabilities, well-tested proposed fixes, and a predictable partner they can trust, rather than a flood of duplicative, conflicting reports."
– Pat Opet, Chief Information Security Officer, JPMorganChase

"OpenSSF and Alpha-Omega demonstrated what is possible when industry comes together to strengthen open source security. Building on our experience co-founding these organizations, Akrites was created to address the emerging inflection point of AI-powered vulnerability discovery and defense. As a founding member, Microsoft will contribute expertise, resources, and AI technologies to help responsibly identify and fix vulnerabilities across the open source software ecosystem that customers and organizations depend on."
– Mark Russinovich, Azure Chief Technology Officer, Deputy Chief Information Security Officer and Technical Fellow, Microsoft

"Transparency and open collaboration are how the cybersecurity community has kept infrastructure safe for decades. In the age of AI, these open source foundations have never been more critical. Open source AI is the engine of American innovation — and one of our most powerful tools for deploying AI with the security, trust, and transparency needed to power this industrial revolution."
– David Reber, Chief Security Officer, NVIDIA

"The world runs on open source, and securing it is a long-term commitment for us at OpenAI. Through Patch the Planet, we're putting our models and resources behind expert-led work that helps maintainers validate issues and land fixes, and we're proud to participate in Akrites to strengthen coordination across the industry and help defend the software we all depend on."
– Clint Gibler, Cyber Lead, OpenAI

"Open source only works when we keep the work open, upstream, and available to everyone who depends on it. The answer to the AI-driven vulnerability crisis is not to fragment the ecosystem behind proprietary walls or turn community foundations into closed products. It must be coordinated remediation that preserves the integrity of original software, works with maintainers, and returns fixes to the commons. We are proud to support the Akrites initiative which aligns with our belief of strengthening the open source ecosystem from within, helping organizations reduce risk without unnecessary code changes, and making the software we all share safer for everyone."
– Mehran Farimani, CEO, RapidFort

"Open source is the foundation of modern software innovation. Defending that foundation requires a coordinated, upstream community response capable of meeting threats at scale. Red Hat's participation in Akrites focuses on strengthening this upstream ecosystem. By collaborating openly to identify and patch vulnerabilities at the source, we help build a more resilient software supply chain for the entire industry."
– Chris Wright, Chief Technology Officer and Senior Vice President, Global Engineering, Red Hat

"For too long, the goodwill and sense of responsibility among upstream maintainers has been taken for granted in security response processes. Akrites promises meaningful coordination with upstream maintainers, financial, and full-time support to find, fix and disclose security vulnerabilities responsibly, and a genuine commitment from the most influential companies across tech and finance to solve this problem. The Rust Foundation looks forward to working with Akrites to develop security that is fit for the future."
– Rebecca Rumbul, Executive Director and CEO, Rust Foundation

"Sonatype sees the dependency graph of the modern world every day. A single vulnerable component can sit underneath thousands of organizations, which means one upstream fix can reduce risk across an entire ecosystem. AI may make vulnerability discovery dramatically easier, but it does not make coordinated repair automatic. Akrites is important because it gives the industry a confidential way to do that work together, upstream, before the same flaw becomes thousands of separate incidents."
– Brian Fox, Co-founder and Chief Technology Officer, Sonatype, and Steward of Maven Central

"With the increasing ability of AI to fast-track vulnerability discovery, now is the right time to come together and invest resources to safeguard critical open-source software on which telecommunications and many other industries rely on. As a founding member, Vodafone has committed both expertise and funding to Akrites. This unified initiative will drive a co-ordinated, industry-wide approach to responsibly identify and fix vulnerabilities in the software that runs the systems upon which the world depends."
– Paul Hopkins, Cyber & IT strategy and Architecture Director, Vodafone

"AI has changed the speed of both offense and defense. Vulnerabilities can now be found at machine speed, which means defenders have to move just as fast. Akrites helps turn that speed into an advantage for the open source ecosystem by finding issues earlier, coordinating remediation responsibly, and pushing fixes upstream. Zscaler is proud to be part of it."
– Deepen Desai, Executive Vice President and Chief Security Officer, Zscaler

About Akrites
Akrites is a coordinated confidential effort to remediate and disclose vulnerabilities in the open source software that critical infrastructure depends on. It provides a single, standardized Coordinated Vulnerability Disclosure (CVD) process operated by a shared Security Incident Response Team (SIRT), built on confidentiality-first principles and the industry's established standards and tooling (CVE, TLP, CWE, CVSS, EPSS, SSVC, VEX). To learn more or to join, visit https://akrites.org.

About the Linux Foundation
The Linux Foundation is the world's leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects, including Linux, Kubernetes, Model Context Protocol (MCP), OpenChain, OpenSearch, OpenSSF, OpenStack, PyTorch, Ray, RISC-V, SPDX and Zephyr, provide the foundation for global infrastructure. The Linux Foundation is focused on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of the Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

Media Contact
The Linux Foundation
pr@linuxfoundation.org

View original content to download multimedia:https://www.prnewswire.com/news-releases/linux-foundation-and-industry-leaders-launch-akrites-to-defend-critical-open-source-software-against-ai-enabled-cyber-threats-302811165.html

SOURCE The Linux Foundation