RSS

We All Depend on Open Source. We Will Defend It Together

dhruv30062 pts0 comments

Open Letter | Akrites

Search

Close Search

An Open Letter

We All Depend on Open Source. We Will Defend It Together.

An open letter regarding the launch of Akrites – a coordinated effort to remediate vulnerabilities in the open source software the world runs on

For decades, open source has been one of the great achievements of technology – software we built together and came to depend on completely. Today, this code underpins the world’s critical infrastructure and services that people depend on every day: banking, telecommunications, utilities and more run on the same open source libraries. Over the years, the industry incorporated open source throughout tech stacks.

The world has now changed around it. Artificial intelligence has collapsed the previous equilibrium between attackers and defenders, changing the equation of ease and reuse of software. Finding a serious vulnerability in a major open source project used to take an expert weeks. This now takes a machine minutes, and often the AI model returns multiple vulnerabilities in a single pass. The same AI capability that can help harden our software will, in the wrong hands, turn vulnerability discovery into a pipeline. In turn, this has already accelerated the cycle to a pace that is rapidly outstripping maintainers’ capacity to patch vulnerabilities. This is not a theoretical future risk. It is the present condition of every system we are responsible for.

Today, we are announcing a plan for addressing this issue in critical open source software – Akrites is the largest coordinated effort in history to create systems and deploy tooling that leverages the collective power of the community to make everyone safer. We are joined by Amazon Web Services, Anthropic, Chainguard, Cisco, Citi, Endor Labs, Ericsson, Google, IBM, JPMorganChase, Microsoft and GitHub, NVIDIA, OpenAI, RapidFort, Red Hat, Rust Foundation, Sonatype, Vodafone, and Zscaler to find, fix, and responsibly disclose vulnerabilities in critical open source software and support the security of the critical infrastructure that depends upon it.

A large and growing percentage of the world’s technology and open source software we depend on is built from the same components, carries the same latent defects, and is now exposed to the same accelerated discovery. No vendor’s walls are high enough to make this someone else’s problem.

Previously, security response and disclosure involved a patchwork of organizations and teams, often working on the same problems and sometimes shipping conflicting patches or multiple reports. In this new environment, acting without coordination will worsen the problem and waste precious time.

When dozens of companies independently scan the same library and each file a report, we bury the maintainers under noise. Every additional party that holds an unpatched vulnerability raises the odds it will leak before there is a fix, increasing the risk to all of us. So we are stating plainly: We all depend on open source, and we will all defend it together.

Akrites is our commitment to act differently and to act upstream, where maintainers live and where we can proactively respond to this new reality. This approach provides  one confidential, trusted place to coordinate discovery, remediation, and disclosure, matching or surpassing the speed of AI-assisted attackers. A shared, dedicated Security Incident Response Team gives maintainers a single, predictable partner instead of a hundred uncoordinated reports.

As Akrites works upstream to fix projects at the source, we commit to support downstream efforts to secure critical infrastructure before it can be exploited. When patches are released to the public, adversaries are able to utilize AI to rapidly reverse engineer the underlying vulnerabilities, develop exploits, and launch attacks. The success of our efforts therefore will be measured in patch deployment, not publication. We will partner with critical infrastructure owners and operators, civil society efforts, and governments as they increase coordination to achieve these goals.

Confidentiality is non-negotiable: An undisclosed flaw in a widely deployed package is, in effect, a weapon, and the program is built first to prevent leaks. Fixes flow back into each project’s own home, working with the maintainers. The engineering resources and other capabilities provided by Akrites participants contribute to this effort. Additionally, when a critical package has no one maintaining it, Akrites will stand as the maintainer of last resort so a fix can still reach everyone in a timely fashion. We will also align with government efforts so that public and private defenders move together, rather than in a disjointed fashion.

Akrites participants will contribute engineering resources; work to build and ship fixes; or fund the engineers who do. Some companies have contributed mightily already. The reality is, collectively, we need to contribute more.

Today, the undersigned...

open source akrites software critical depend

Related Articles

US Government directive to suspend access to Fable 5 and Mythos 5

Dylan131224 ptsfable government anthropic jailbreak access mythos

Is AI ruining our skills? Early results are in – and they're not good

Michelangelo1124 ptstools skills during physicians colonoscopies tool

The Anatomy of an AI-Native Org

kiyanwang22 ptstranslated managers business translation language engineering

Apertus – Open Foundation Model for Sovereign AI

T-A16 ptsopen model apertus foundation sovereign fully

How to Earn a Billion Dollars

kingstoned15 ptsmonth become startup growth years billionaire
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.