The arrival of frontier AI models capable of scanning major open-source projects and surfacing multiple vulnerabilities in a single pass has handed defenders an extraordinary tool — but one that attackers can access, too.
Now, some of the biggest names in tech and industry are betting that the only way to stay ahead is to work together.
The result is Akrites, launched on Thursday by the Linux Foundation, which serves as a coordinated body to handle vulnerability discovery, remediation, and disclosure for critical open-source software.
Its founding roster spans some 20 organizations, among them AWS, Anthropic, Google, Microsoft and its GitHub subsidiary, OpenAI, Cisco, Red Hat, NVIDIA, Chainguard, Sonatype, Ericsson, Vodafone, Citi, and JPMorganChase. The initiative takes its name from the Akritai, the soldiers who guarded the Byzantine Empire’s outermost borders — the places most exposed, most frequently attacked, and most dependent on whoever showed up to defend them.
The launch comes at a volatile moment in the AI security landscape. Back in April, Anthropic released Claude Mythos through Project Glasswing, making its most capable model available to a small group of trusted partners specifically for cybersecurity defense. Then, in early June, Anthropic followed up with Fable 5 and Mythos 5 — the first generally available Mythos-class models, with built-in guardrails against misuse. Three days later, the US government suspended both after researchers found a way to use them to assist with cyberattacks.
Anthropic, notably, is one of Akrites’ founding members.
Security silo: The problem with going it alone
The open-source security model has long relied on a loose, decentralized network of maintainers, researchers, and organizations that scan for problems and report them. When finding a serious flaw took weeks of expert work, defenders had time to get ahead of it, but AI has closed that gap.
When multiple organizations independently scan the same widely used library and each files their own report, maintainers face a wall of duplicates, and the real, exploitable findings get buried in the noise. Worse, every additional party sitting on knowledge of an unpatched vulnerability increases the chances it leaks before a fix exists.
Varun Badhwar, CEO of software supply chain security company Endor Labs and a founding member of Akrites, says that AI tools have already surfaced thousands of validated open source vulnerabilities in recent months, with fewer than 5% patched — a figure from his company’s own data that hasn’t been independently verified. The hard part, he says, was never the discovery itself.
“For years we have believed finding vulnerabilities was never the hard part. Fixing them was. AI has made that gap impossible to ignore.”
“For years, we have believed finding vulnerabilities was never the hard part. Fixing them was,” Badhwar says in a statement. “AI has made that gap impossible to ignore.”
The existing model — each organization working separately, filing its own reports — is itself the problem Akrites is designed to fix. Jason Clinton, deputy chief information security officer at Anthropic, argues the model has simply been left behind.
“The existing model for coordinated disclosure has been outpaced by how quickly AI can now find vulnerabilities.”
“Open source projects collectively underpin much of the internet, and the existing model for coordinated disclosure has been outpaced by how quickly AI can now find vulnerabilities,” Clinton says. “Getting ahead of that requires the industry to coordinate on findings and get fixes upstream before they’re disclosed and exploited.”
Patch first, publish second
The core of the Akrites initiative is a shared Security Incident Response Team (SIRT) that acts as a single point of coordination for the industry. Rather than maintainers receiving a dozen separate reports about the same flaw from a dozen different organizations, the SIRT consolidates findings, validates which are genuine and exploitable, and manages a single coordinated fix and disclosure process. It uses established industry standards — CVE, CVSS, among others — and operates under strict confidentiality rules from the moment a finding comes in.
When a patch is ready, it goes back into the original project on the maintainer’s terms. For projects with no active maintainer, Akrites will step in as a fallback so a fix can still reach everyone who depends on the code.
JPMorgan Chase CISO Pat Opet explains the underlying logic: success should be measured by fixes reaching live systems, rather than by patches being published.
“We owe maintainers a single, reliable signal: confirmed vulnerabilities, well-tested proposed fixes, and a predictable partner they can trust.”
“AI has massively compressed the time between vulnerability discovery and exploitation to near real-time, which means we have to compress the time from fix to deployment,” Opet says. “We owe maintainers a single, reliable signal: confirmed vulnerabilities, well-tested proposed fixes, and a predictable partner they can trust, rather than a flood of duplicative, conflicting reports.”
The Alpha-Omega factor
Akrites is open to new members across three tiers — Premier, for critical infrastructure operators and the vendors they depend on; General, for organizations that want to contribute without committing large engineering resources; and Associate, for open-source foundations and projects at no cost.
Seed funding comes from Alpha-Omega, an Open Source Security Foundation (OpenSSF) project under the Linux Foundation, backed by Anthropic, AWS, Google, Microsoft, OpenAI, and others, with an annual budget of over $7 million. Microsoft’s Azure CTO Mark Russinovich pointed to Alpha-Omega as proof of what coordinated industry action can achieve.
“OpenSSF and Alpha-Omega demonstrated what is possible when industry comes together to strengthen open source security,” Russinovich says. “Building on our experience co-founding these organizations, Akrites was created to address the emerging inflection point of AI-powered vulnerability discovery and defense.”
YOUTUBE.COM/THENEWSTACK
Tech moves fast, don’t miss an episode. Subscribe to our YouTube
channel to stream all our podcasts, interviews, demos, and more.
