On June 25, 2026, the Linux Foundation launched Akrites, a multi-stakeholder initiative establishing a shared Security Incident Response Team and a confidentiality-first coordinated vulnerability disclosure process. The move responds to a data point the founders deem unsustainable: according to Endor Labs CEO Varun Badhwar, less than 5% of validated open source vulnerabilities in recent months have received a patch. The goal is to compress the window between discovery and remediation, but a Linux Foundation executive admits that "the space is crowded and the track record is mixed."
- Akrites operates as a "maintainer of last resort" for abandoned critical packages, stepping in where the original maintainer is absent.
- Seed funding comes from Alpha-Omega, the Linux Foundation-directed fund already active on supply chain security.
- Nineteen founding organizations include AWS, Anthropic, Chainguard, Cisco, Citi, Endor Labs, Ericsson, Google, IBM, JPMorganChase, Microsoft/GitHub, NVIDIA, OpenAI, RapidFort, Red Hat, Rust Foundation, Sonatype, Vodafone, and Zscaler.
- The project enters an already occupied field: Chainguard's Athena coalition, announced two weeks earlier, pursues similar goals with overlapping membership.
A Centralized SIRT Against the Speed of Offensive AI
The operational core of Akrites is a shared SIRT managing a Coordinated Vulnerability Disclosure process with confidentiality as the priority. The logic inverts the traditional model: instead of publishing a vulnerability and waiting for a patch, Akrites aims to pre-position fixes before public disclosure.
The need for this inversion emerges from a quote attributed to the Linux Foundation in the official announcement: "When patches are released publicly, adversaries can use AI to rapidly reverse-engineer the underlying vulnerabilities, develop exploits, and launch attacks." According to the source, the success metric will be patch deployment, not publication.
Linux Foundation CEO Jim Zemlin took this diagnosis to an extreme in remarks at UN Open Source Week: the average time to exploit a software vulnerability has reportedly fallen to "under seven days." The claim, reported by DevOps.com, is not independently verified in this dossier; it remains an indicator of the urgency perception driving the initiative.
The 5% Patch Rate and the Human-Machine Mismatch
The most cited figure in the launch materials is also the most unsettling. Badhwar, whose company Endor Labs is among the founders, states that "of the thousands of validated open source vulnerabilities that have emerged in recent months, less than 5% have been patched." The source does not specify the exact reference period or counting methodology; the number is however reproduced consistently across SD Times and the PRNewswire release.
The structural gap Akrites attempts to bridge is between discovery speed and response capacity. AI accelerates both sides of the equation — systematic flaw discovery and reverse engineering of patches — but volunteer-maintained or underfunded open source projects lack the resources to keep pace. The result is a growing arsenal of known, exploitable vulnerabilities.
Akrites does not solve the labor deficit; it manages it by outsourcing the response. The SIRT will intervene directly on abandoned packages, assuming the maintainer role when the original ceases activity. The mechanism raises governance questions not detailed in the sources: who decides which projects are "critical," who assumes legal liability for patches distributed, how top-down intervention reconciles with community autonomy.
The Internal Verdict: "The Space Is Crowded, the Track Record Is Mixed"
The most revealing reading in the dossier comes from Mike Dolan, Linux Foundation Senior Vice President of Legal, in an interview with DevOps.com. Dolan does not hide his caution: "The space is crowded, and the track record is mixed." What distinguishes Akrites, in his view, is "narrow: a single coordinated process, so open source maintainers face one partner instead of a hundred separate reporters."
"Maintainers deserve a coordinated partnership, not a flood of reports" — Matt Wilson, VP and Distinguished Engineer, AWS
Wilson's quote, reported by Help Net Security, translates into operational terms the problem Dolan identifies: the multiplication of actors discovering and reporting vulnerabilities without coordination overloads maintainers, often volunteers, with duplicate requests and incompatible standards. Akrites promises to function as a unified interface, filtering and standardizing intake.
Dolan's caution, however, raises a question the sources do not clarify: if the track record of analogous initiatives is mixed, what guarantees that greater corporate scale will produce greater effectiveness? The dossier contains no preliminary metrics or independent evaluation plan.
Athena, Lightwell, and the Risk of Proliferation
Akrites does not arrive on empty ground. Two weeks before its announcement, Chainguard unveiled Athena, a coalition with overlapping goals; several Athena members joined the Akrites founders. DevOps.com also cites Project Lightwell as a third actor in the same space. The source does not clarify whether the three initiatives will converge or compete.
This proliferation mirrors a recurring dynamic in open source security: the response to a coordination crisis generates further fragmentation. Each initiative introduces its own standards, processes, and membership, increasing complexity for the maintainers who are supposed to be the ultimate beneficiaries. Akrites promises to reduce this complexity for individual projects, but its very existence increases it at the ecosystem level.
The target sector is broad: finance, healthcare, energy, telecommunications, government, and AI infrastructure, according to Help Net Security. This breadth reflects universal dependence on open source components, but also exposes the project to tensions between potentially conflicting corporate interests. The dossier does not document arbitration mechanisms among the founders.
Why It Matters
Akrites represents a test of the industry's ability to self-organize structural responses to threats that exceed any single operator. The 5% patch rate cited by Endor Labs, if confirmed by independent metrics, would indicate a systemic failure of vulnerability response that cannot be attributed to individual projects or maintainers.
The dossier, however, leaves critical points open. The source does not specify the technical architecture of the vulnerability intake platform, the selection criteria for "critical" packages to protect, the legal liability framework for patches distributed by the SIRT, or the interaction with the existing CVE/CNA infrastructure managed by MITRE. These gaps make it impossible to assess whether Akrites will be operationally effective or another layer of institutional coordination.
The implicit comparison with Athena and Project Lightwell raises a broader question: does open source supply chain security require more initiatives with more corporate logos, or more radical governance of existing processes? The Linux Foundation, through Dolan, admits the problem is not a scarcity of initiatives. The stakes are whether Akrites manages to be the exception that renders the others superfluous, or just another exception that multiplies them.
Information verified against cited sources and current as of publication.
Sources
- https://www.securityweek.com/linux-foundation-unveils-new-open-source-security-project-akrites/
- https://www.helpnetsecurity.com/2026/06/26/akrites-open-source-security-framework/
- https://unit42.paloaltonetworks.com/large-scale-credential-attacks/
- https://sdtimes.com/security/linux-foundation-and-industry-leaders-launch-akrites-to-defend-critical-open-source-software-against-ai-enabled-cyber-threats/
- https://www.prnewswire.com/news-releases/linux-foundation-and-industry-leaders-launch-akrites-to-defend-critical-open-source-software-against-ai-enabled-cyber-threats-302811165.html
- https://www.techzine.eu/news/security/142499/linux-foundation-launches-akrites-to-protect-open-source-from-ai/
- https://devops.com/akrites-the-latest-attempt-to-protect-open-source-from-ai-attacks-has-arrived/
- https://www.helpnetsecurity.com/2026/06/25/foss-ai-in-open-source/
- https://www.helpnetsecurity.com/2025/08/22/critical-infrastructure-sltt-cybersecurity-priorities/
- https://www.helpnetsecurity.com/2026/01/26/incident-response-failures-video/