The Linux Foundation announced Akrites on June 25, a joint effort to patch vulnerabilities in critical open source software before attackers can weaponize them. Nineteen founding organizations signed on, among them Amazon Web Services, Anthropic, Google, Microsoft, OpenAI, IBM, NVIDIA, plus banks like Citi and JPMorganChase. The pitch: AI now finds bugs faster than maintainers can fix them, and the old disclosure model can't keep up.
The actual problem
Frontier models can scan a major project and surface multiple confirmed vulnerabilities in minutes, work that took a skilled researcher weeks. That cuts both ways. The press release frames it as defenders finally getting an edge, but the same speed hands attackers a loaded gun the moment a patch goes public.
Which is the part worth sitting with. Endor Labs CEO Varun Badhwar gave the number that should embarrass everyone in the room: of the thousands of validated open source vulnerabilities AI has surfaced lately, fewer than 5% got patched. Finding bugs was never the bottleneck. Fixing them is.
How it's supposed to work
Akrites sets up a shared Security Incident Response Team, one confidential intake point instead of twenty companies independently dumping the same bug report on an overwhelmed volunteer. Reports stay locked down until a fix ships. Patches go back into each project's own repository on the maintainer's terms, using standard tracking like CVE and CVSS. And when a critical package has been abandoned, Akrites says it'll step in as maintainer of last resort.
JPMorganChase CISO Pat Opet drew the line that actually matters. AI has compressed the gap between discovery and exploitation to near real time, he said, which means an adversary can reverse-engineer your published patch and build a working exploit before half your downstream systems have even deployed the fix. Success, by his measure, is "patch deployment, not patch publication." Hard to argue with, harder to pull off.
Why now, and why so crowded
The timing isn't subtle. OpenAI launched its own parallel effort, Patch the Planet, three days before Akrites, a sprint pairing its GPT-5.5-Cyber model with Trail of Bits engineers across 19 open source projects. Chainguard announced something similar, called Athena, less than two weeks earlier. The Linux Foundation's announcement doesn't mention Athena at all, which tells you a little about how these coalitions are forming in real time.
Anthropic Deputy CISO Jason Clinton, writing in the group's open letter, said the existing disclosure model "has been outpaced by how quickly AI can now find vulnerabilities." True enough, though every founding member has a commercial reason to want this particular problem solved by this particular committee.
One unresolved tension hangs over the whole thing: a coalition of the largest tech companies and Wall Street banks now coordinating disclosure for software the entire internet runs on. Whether that's stewardship or consolidation depends on who you ask, and the answer isn't in any press release.
Seed funding comes from Alpha-Omega, a Linux Foundation directed fund that has issued more than 70 grants totaling over $20 million since 2022. Other organizations can join by contributing engineers or money at akrites.org.
