Top stories
Linux Foundation launches Akrites to defend open source against AI-found vulnerabilities
- Category: Security
- Status: confirmed
- Sources: Linux Foundation, Akrites letter, discussion
- Summary: The Linux Foundation announced Akrites on 2026-06-25, a cross-industry effort to coordinate confidential vulnerability remediation and disclosure for critical open source software as AI compresses vulnerability discovery from weeks to minutes. Akrites runs a shared Security Incident Response Team and a single standardized coordinated-disclosure process so maintainers face one predictable partner rather than a flood of uncoordinated AI-generated reports, and commits to acting as maintainer of last resort for critical packages with no active maintainer. Founding members include Amazon Web Services, Anthropic, Chainguard, Cisco, Citi, Endor Labs, Ericsson, Google, IBM, JPMorganChase, Microsoft and GitHub, NVIDIA, OpenAI, RapidFort, Red Hat, the Rust Foundation, Sonatype, Vodafone, and Zscaler.
- Comments: HN commenters questioned who staffs and funds the maintainer-of-last-resort commitment, noting Akrites itself employs no engineers, and were skeptical of the heavy corporate membership; one asked why the effort covers only open source and not widely depended-on closed-source software.
- Why it matters: It is the first industry-wide governance response to the AI-found-vulnerability and maintainer-burden theme running through curl pausing report handling, the FFmpeg AI zero-days, and OpenAI Patch the Planet.
- Follow-up: Watch the SIRT staffing and funding model, which projects Akrites adopts as maintainer of last resort, and whether the coordinated-disclosure process reduces maintainer report load in practice.