Linux Foundation Unveils New Open Source Security Project Akrites

The Linux Foundation on Thursday announced a new industry effort aimed at efficiently addressing vulnerabilities in the open source software (OSS) ecosystem. Named Akrites, it establishes a shared Security Incident Response Team (SIRT) for coordinated discovery, patching, and public disclosure of OSS security defects. If it sounds familiar, it should. Less than two weeks ago, Chainguard announced Athena, a coalition of over two dozen fintech and technology organizations aimed at addressing OSS bugs before public disclosure. At the time, Chainguard said it would work with the Linux Foundation on a coordinated SIRT, noting that the increased use of AI in cyberattacks is essentially closing the window between public disclosure and patching. While the Linux Foundation’s new announcement makes no mention of Athena, Akrites walks the same path: it offers the tools and channels to report, validate, and address OSS vulnerabilities before their coordinated public disclosure. Akrites is supported by Anthropic, AWS, Chainguard, Cisco, Citi, Endor Labs, Ericsson, Google, IBM, JPMorganChase, Microsoft and GitHub, NVIDIA, OpenAI, RapidFort, Red Hat, Rust Foundation, Sonatype, Vodafone, and Zscaler, many of which were mentioned as members of Athena. Seed funding to support Akrites comes from the Linux Foundation’s directed fund Alpha-Omega, with other organizations providing engineering resources and additional funding. In addition to establishing a confidential, trusted partner for vulnerability disclosure, eliminating hundreds of uncoordinated independent reports, Akrites will also work with critical infrastructure to help deploy fixes before in-the-wild exploitation. “When patches are released to the public, adversaries are able to utilize AI to rapidly reverse engineer the underlying vulnerabilities, develop exploits, and launch attacks. The success of our efforts, therefore, will be measured in patch deployment, not publication,” the Linux Foundation said. Akrites was created with a focus on confidentiality, to prevent vulnerability weaponization before patches are delivered, and to act as the maintainer of last resort, ensuring that fixes can still be delivered for packages that are no longer maintained. Related: IBM and Red Hat Commit $5 Billion to Secure Open Source Supply Chains Under “Project Lightwell” Related: Tech Giants Invest $12.5 Million in Open Source Security Related: RSAC Releases Quantickle Open Source Threat Intelligence Visualization Tool Related: OpenAI Refocuses Cybersecurity Efforts on Patching Over Discovery WRITTEN BY Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire GitLab Patches Code Execution, Information Disclosure Vulnerabilities 25-Year-Old Vulnerability Patched in Curl NIST Opens Updated IoT Security Guidance to Public Review Chrome 149 Update Resolves 18 Severe Vulnerabilities Critical Ubiquiti Vulnerabilities in Attackers’ Crosshairs New ‘Mistic’ RAT Opens Door to Several Ransomware Families Exploitable CI/CD Vulnerabilities Expose Millions of Repositories to Hijacking BeyondTrust, LastPass Impacted by Klue-Salesforce Incident Latest News $3 Million Reportedly Stolen in Polymarket Hack Russian APT Deploys ‘StockStay’ Backdoor Against Ukrainian Targets First-Ever Exploitation of PTC Windchill Vulnerability Discovered in the Wild New Enterprise-Ready MCP Specification Brings New Security Challenges Philip Martin Joins Uber as Chief Information Security Officer Runlayer Raises $30 Million in Series A Funding Cal Water Says No OT Systems Breached in Iranian Handala Cyberattack Lantronix Serial-to-IP Converter Flaw Exploited in Attacks After OT Threat Warning Trending Webinar: Why Email Security Keeps Failing (And What Has To Change) July 8, 2026 Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more. Register Virtual Event: 2026 Cloud Security Summit July 16, 2026 This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments. Register People on the Move Philip Martin has joined Uber as Chief Information Security Officer. Fable Security has appointed Jacob Berry as Chief Information Security Officer. iCOUNTER has named Ali Waezzadah as Chief Information Security Officer. More People On The Move Expert Insights When Information Becomes The Attack Surface – Understanding AI Agent Traps From hidden content injections to cognitive state poisoning, attackers are turning trusted data sources into traps for autonomous AI. (Etay Maor) What The Latest ShinyHunters Breaches Reveal About Modern Cyberattacks Groups like ShinyHunters are demonstrating that attackers do not necessarily need malware or zero-day exploits to cause massive damage. (Torsten George) No Exploits Required Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures. (Tod Beardsley) After AI Reaches Production: 12 Ways Security Teams Can Take Control Security teams need more than visibility into AI applications, they need a repeatable framework for monitoring, investigating, and defending them in production. (Joshua Goldfarb) Everybody Is Vibe Coding But Nobody Told The Security Team AI-driven development is not something organizations can or should block. But it must be governed. (Danelle Au) Flipboard Reddit Whatsapp Email