Linux Foundation Launches Akrites Framework to Standardize Open-Source Vulnerability Response as AI Accelerates Exploits
The Linux Foundation has launched Akrites, an industry initiative that establishes a common process for vulnerability remediation and disclosure in critical open-source software, backed by major tech and financial firms.
The Linux Foundation today announced the launch of Akrites, a new industry initiative designed to standardize how security vulnerabilities in widely used open-source software are reported, remediated, and disclosed. The framework brings together technology companies, financial institutions, security vendors, AI companies, and open-source projects to address the growing threat of AI-shortened exploit timelines.
Akrites establishes a shared Security Incident Response Team (SIRT) and a Coordinated Vulnerability Disclosure (CVD) process. Participating organizations will use common workflows and industry-standard tools to exchange vulnerability information, manage remediation, and coordinate disclosures until fixes are available. The project focuses on software used in sectors including finance, healthcare, telecommunications, energy, government, and AI infrastructure.
“Open source powers the systems we rely on every day, running everything from banks and hospitals to power grids and AI platforms. As frontier AI accelerates vulnerability discovery, the risk has grown too large for any one organization to address alone. That’s why an ecosystem approach is critical,” said Jamie Thomas, Enterprise Security Executive at IBM, in a statement.
Founding members include Amazon Web Services, Anthropic, Cisco, Citi, Endor Labs, Ericsson, GitHub, Google, IBM, JPMorganChase, Microsoft, NVIDIA, OpenAI, Red Hat, Sonatype, Vodafone, and Zscaler. In an open letter published alongside the launch, the founding organizations said AI is accelerating both vulnerability discovery and exploit development, and that many open-source maintainers lack the resources to keep up.
“Frontier AI models have given defenders the ability to find and fix vulnerabilities in open source software at a speed and scale that were never possible before. That’s an enormous opportunity for defenders, and Akrites ensures we seize it together,” said Matt Wilson, Vice President and Distinguished Engineer at Amazon Web Services.
Akrites builds on existing Linux Foundation security efforts such as Alpha-Omega, which funds security improvements for critical open-source projects, and the Open Source Security Foundation (OpenSSF), which develops security standards and tooling. It adds a coordinated incident response capability focused on handling vulnerabilities before public disclosure. Mark Russinovich, Azure Chief Technology Officer at Microsoft, said Akrites builds on that work to address the growing impact of AI-powered vulnerability discovery.
Organizations that can contribute engineering resources, security expertise, or funding are invited to participate in the initiative. The launch comes as the cybersecurity industry grapples with the dual-edged impact of AI on vulnerability discovery and exploitation, making coordinated response frameworks increasingly critical.
The Linux Foundation has now formally announced Akrites, naming Anthropic, AWS, Cisco, Google, Microsoft, NVIDIA, OpenAI, Red Hat, and Zscaler among its founding supporters, with seed funding from the Alpha-Omega directed fund. The project establishes a shared Security Incident Response Team (SIRT) to coordinate vulnerability disclosure and patching across the open source ecosystem, explicitly citing the risk of AI-accelerated exploit development as a key driver. Akrites will also act as a 'maintainer of last resort' for orphaned packages, ensuring fixes can still be delivered for unmaintained software.