Linux Foundation Launches Akrites as AI Finds Bugs Faster Than Maintainers Can Patch Them 🛡️

The Linux Foundation on Thursday launched Akrites alongside 19 founding organizations—Amazon, Anthropic, Citi, Google, JPMorganChase, Microsoft, NVIDIA, OpenAI, and others—to coordinate patching of critical open-source software before AI-powered attackers can exploit it. The initiative addresses a timeline problem that AI has made urgent: frontier models can now scan a major open-source project and return multiple confirmed vulnerabilities in minutes, work that used to take a skilled security researcher weeks. As Decrypt previously reported, Anthropic's Claude Opus 4.8 uncovered a critical flaw in Zcash's Orchard privacy pool within a day, exposing a bug that had survived four years of cryptographer review.

Anthropic Deputy CISO Jason Clinton said in the initiative's open letter that the existing model for coordinated disclosure "has been outpaced by how quickly AI can now find vulnerabilities," and that reaching a fix upstream requires coordinating on findings "before they're disclosed and exploited." Multiple organizations would independently scan the same libraries and go through long bureaucratic processes before fixing bugs—a process the letter, signed by all 19 founding organizations, described as burying "the maintainers under noise." Endor Labs CEO Varun Badhwar said that of the thousands of validated open-source vulnerabilities AI has surfaced in recent months, "fewer than 5% have been patched."

Akrites replaces that fragmented approach with a single, confidential Security Incident Response Team—one predictable partner for maintainers rather than a flood of uncoordinated reports. Fixes return to each project's original repository on maintainers' terms, using established standards for vulnerability tracking, and when a critical package has no active maintainer, Akrites commits to stepping in as maintainer of last resort. The open letter called an undisclosed flaw in a widely deployed package "a weapon," underscoring the program's emphasis on pre-disclosure confidentiality.

Rust Foundation CEO Rebecca Rumbul said the goodwill of open-source maintainers has for too long been taken for granted, adding that Akrites "promises meaningful coordination with upstream maintainers, financial, and full-time support to find, fix and disclose security vulnerabilities responsibly, and a genuine commitment from the most influential companies across tech and finance to solve this problem." JPMorganChase CISO Pat Opet framed the operational stakes in sharper terms: "AI has massively compressed the time between vulnerability discovery and exploitation to near real time," meaning adversaries can reverse-engineer a published patch and build a working exploit before many downstream systems deploy the fix. Success, Opet said, is "patch deployment, not patch publication."