The Linux Foundation on Thursday announced a new industry effort aimed at efficiently addressing vulnerabilities in the open source software (OSS) ecosystem.
Named Akrites, it establishes a shared Security Incident Response Team (SIRT) for coordinated discovery, patching, and public disclosure of OSS security defects.
If it sounds familiar, it should. Less than two weeks ago, Chainguard announced Athena, a coalition of over two dozen fintech and technology organizations aimed at addressing OSS bugs before public disclosure.
At the time, Chainguard said it would work with the Linux Foundation on a coordinated SIRT, noting that the increased use of AI in cyberattacks is essentially closing the window between public disclosure and patching.
While the Linux Foundation’s new announcement makes no mention of Athena, Akrites walks the same path: it offers the tools and channels to report, validate, and address OSS vulnerabilities before their coordinated public disclosure.
Akrites is supported by Anthropic, AWS, Chainguard, Cisco, Citi, Endor Labs, Ericsson, Google, IBM, JPMorganChase, Microsoft and GitHub, NVIDIA, OpenAI, RapidFort, Red Hat, Rust Foundation, Sonatype, Vodafone, and Zscaler, many of which were mentioned as members of Athena.
Seed funding to support Akrites comes from the Linux Foundation’s directed fund Alpha-Omega, with other organizations providing engineering resources and additional funding.
In addition to establishing a confidential, trusted partner for vulnerability disclosure, eliminating hundreds of uncoordinated independent reports, Akrites will also work with critical infrastructure to help deploy fixes before in-the-wild exploitation.
“When patches are released to the public, adversaries are able to utilize AI to rapidly reverse engineer the underlying vulnerabilities, develop exploits, and launch attacks. The success of our efforts, therefore, will be measured in patch deployment, not publication,” the Linux Foundation said.
Akrites was created with a focus on confidentiality, to prevent vulnerability weaponization before patches are delivered, and to act as the maintainer of last resort, ensuring that fixes can still be delivered for packages that are no longer maintained.
Related: IBM and Red Hat Commit $5 Billion to Secure Open Source Supply Chains Under “Project Lightwell”
Related: Tech Giants Invest $12.5 Million in Open Source Security
Related: RSAC Releases Quantickle Open Source Threat Intelligence Visualization Tool
Related: OpenAI Refocuses Cybersecurity Efforts on Patching Over Discovery
