RSS

Linux Foundation announces Akrites: coord/remediate/disclose OSS vulnerabilities

dwheeler1 pts0 comments

Akrites | Patch the Commons, Together

Search

Close Search

Coordinated, confidential vulnerability remediation for the open source software critical infrastructure depends on

Read Press Release

An open letter from the technology industry, and the launch of Akrites – a coordinated effort to remediate vulnerabilities in the open source software the world runs on.

Read Open Letter

Origin

The name comes from the Akritai — the Byzantine Empire’s frontier guardians, who stood watch where threats arrived first and defenses were thinnest.

In modern software, that frontier is upstream: the open source projects everything depends on. Akrites is the industry standing that watch together, alongside the maintainers who have held it alone for too long. Fittingly, the root of the name is the same word that gives us critical — which is exactly the software this effort exists to defend.

The Problem<br>Discovery has outrun defence.

AI security tools have moved the cost of finding serious software vulnerabilities from weeks of expert effort to minutes of automated scanning. The defenders of open source software have to adapt.

Reports outpace triage

The availability of models means a popular library can receive the same vulnerability described five different ways from five reporters in one week.

Signal collapses

Maintainers often waste time trying to sift through volumes of reports to identify which is a real, exploitable finding from confident AI noise. Some ignore AI-generated reports entirely, so real ones may be missed too.

Everyone races to disclosure

Every organization scanning the same software independently risks racing to disclosure, overwhelming maintainers and exposing pre-patch findings to attackers.

Stronger Together<br>Why working separately makes it worse.

No single organization can solve this alone. Acting independently makes the problem worse.

Duplicate Discovery at Scale

Many end users, cloud providers, security researchers, and security vendors scan the same packages and file the same findings independently.

Maintainer Overload

A flood of duplicate and low-quality reports buries the real, exploitable ones and burns out the people we depend on.

Pre-patch Exposure

Every additional party who knows about an unpatched vulnerability raises the odds of a leak. AI tooling enables anyone to find the same vulnerabilities and most vulnerabilities should be treated as immediately public knowledge.

Sector and Technology Blindness

Banks know what banks depend on; hospitals know what hospitals depend on. Neither learns they share a critical dependency until it is on fire.

The Akrites Solution<br>A shared Security Incident Response Team (SIRT).

Akrites gives critical infrastructure stakeholders a confidential, structured place to coordinate vulnerability discovery, remediation, and disclosure across the open source projects they depend on, at the pace AI-assisted attackers now operate.

One Front Door

Upstream maintainers face a coordinated, predictable partner running one standardized CVD process, not a hundred independent reports.

A Shared Dedicated SIRT

A centralized Security Incident Response Team validates and deduplicates findings, coordinates resolution and upstream patching.

Leverages industry standards and tools: CVE, TLP, CWE, CVSS, EPSS, SSVC, VEX, VINCE.

Question<br>How does Akrites relate to or integrate with other similar industry efforts?

Akrites provides a consistent, centralized coordination facility that can easily integrate with external Finders such as Glasswing, MITRE/CVE, Lightwell, FIRST, and the like.  These efforts have been focused on the *finding* of security vulnerabilities.  Akrites focuses on *coordinating the disclosure* of those findings and can assist by accepting and coordinating reports from any of these programs.

Upstream<br>How a vulnerability flows through the program.

Every finding follows the same path so upstream maintainers face one predictable partner and members get consistent embargo handling.

1. Intake<br>2. Deduplicate & Validate<br>3. Remediate<br>4. Synchronized Disclosure

A member or its vendor surfaces a finding to the SIRT. It is TLP:RED from the start, visible only to the case team.

The SIRT merges duplicates into one case, validates severity, and assigns ownership.

Maintainers and/or industry engineers prepare and test the fix, held as TLP:RED case material.

Upstream enter one CVD window; the fix publishes to the original namespace at disclosure.

Confidentiality Framework<br>Critical vulnerability information is protected by use of the TLP 2.0 protocol.

Hardened Infrastructure

Isolated secure enclaves to perform vulnerability analysis, POC/POV verification, and patch creation

Analyst workbench provided via secure virtual machines

Protected by strong access controls, MFA, and monitoring

Access to Vulnerability Reports limited to Finders during triage/verification

Access to patch bundles limited ot Finders and SIRT during Coordination &...

akrites vulnerability open software from reports

Related Articles

US Government directive to suspend access to Fable 5 and Mythos 5

Dylan131224 ptsfable government anthropic jailbreak access mythos

Is AI ruining our skills? Early results are in – and they're not good

Michelangelo1124 ptstools skills during physicians colonoscopies tool

The Anatomy of an AI-Native Org

kiyanwang22 ptstranslated managers business translation language engineering

Apertus – Open Foundation Model for Sovereign AI

T-A16 ptsopen model apertus foundation sovereign fully

Britain Became as Poor as Mississippi

SanjayMehta15 ptsbritain mississippi next financial crisis self
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.