The Linux Foundation launched Akrites on Thursday with 19 founding members to coordinate the remediation of critical open source vulnerabilities before AI-enabled attackers can exploit them.
Fewer than 5% of the thousands of open-source vulnerabilities surfaced by AI in recent months have been patched, according to Endor Labs CEO Varun Badhwar.
Akrites is designed to close this coordination gap.
The Linux Foundation launched Akrites on Thursday alongside 19 founding organizations—Amazon, Anthropic, Citi, Google, JPMorganChase, Microsoft, NVIDIA, OpenAI, and others—to coordinate the patching of critical open-source software before AI-powered attackers can exploit it.
The initiative addresses a timeline problem that AI has made urgent. Frontier models can now scan a major open-source project and return multiple confirmed vulnerabilities in minutes—work that used to take a skilled security researcher weeks. As Decrypt has reported, Claude Opus 4.8 uncovered a critical flaw in Zcash’s Orchard privacy pool within a day, exposing a bug that had survived four years of cryptographer review.
If white hat hackers find those flaws, everything is ok. If malicious actors do, things can go really messy, really fast. Anthropic Deputy CISO Jason Clinton said in the letter that the existing model for coordinated disclosure “has been outpaced by how quickly AI can now find vulnerabilities”—and that reaching a fix upstream requires coordinating on findings “before they’re disclosed and exploited.”
The coordinated disclosure model that predated Akrites was not built for that speed. Multiple organizations would independently scan the same libraries and go through long bureaucratic processes before fixing bugs—a process that an open letter signed by all 19 founding organizations called burying “the maintainers under noise.”
Endor Labs CEO Varun Badhwar went further: Of the thousands of validated open-source vulnerabilities AI has surfaced in recent months, “fewer…
