Nineteen companies built a shield for open source against AI. Four of them make the AI.
Project Akrites gives the volunteer-run code underneath banks, hospitals and power grids one confidential place to report the flaws AI can now find in minutes — and quietly makes a private consortium the maintainer of last resort. Read who's funding it, and what the announcement doesn't say.

Image: The Linux Foundation
The press release went out on June 25 in the reassuring vocabulary of every industry consortium ever announced: coordinated, trusted, responsibly disclose. Nineteen names were attached to it. Read the list slowly, because the list is the story. Amazon Web Services, Anthropic, Google, Microsoft and GitHub, OpenAI, NVIDIA, IBM, Cisco, Citi, JPMorganChase, Ericsson, Vodafone, Zscaler, Red Hat, Sonatype, Chainguard, Endor Labs, RapidFort, and the Rust Foundation. They have launched Project Akrites, a Linux Foundation initiative to defend the open-source software the world runs on against a new kind of attacker. Four of the companies on that list — Anthropic, Google, Microsoft, OpenAI — build the attacker.
That is not an accusation. It is the premise of the project, written into its own materials. The frontier AI labs that are funding Akrites and the frontier AI labs whose models created the problem Akrites exists to solve are, in four cases, the same companies. The announcement does not hide this. It depends on it. What follows is an attempt to read the document for what it actually establishes — the mechanism, the money, and the authority that changes hands — and to be precise about where the public record stops.
The asymmetry that broke
Start with the threat, because the project's own framing of it is the clearest thing in the release. For as long as open-source security has existed, the release states, "finding and fixing serious flaws in open source software demanded comparable expertise from attackers and defenders alike." A hard bug was hard for everyone. That rough symmetry — expensive to find whether you meant to patch it or exploit it — was the quiet load-bearing assumption under the whole volunteer ecosystem. It is now gone. "Today," the release says, "frontier AI models can scan a major open source project and surface vulnerabilities in minutes."
The member companies say it more bluntly than the Linux Foundation does. "Finding a serious open source vulnerability used to take an expert weeks," said Dan Lorenc, chief executive of Chainguard. "It now takes a machine minutes." Pat Opet, the chief information security officer of JPMorganChase, put the consequence in operational terms: "AI has massively compressed the time between vulnerability discovery and exploitation to near real time." Al Tarasiuk, Citi's CISO, added the part that matters for who gets hurt: "Advances in AI models have significantly reduced the effort required to discover and exploit vulnerabilities." Reduced the effort — meaning the person who previously could not mount a sophisticated attack now can, because the expertise is rented from a model, not earned over years.
There is one number in the release that should stop you. Of the thousands of validated open-source vulnerabilities surfaced in recent months, it states, fewer than 5 percent have been patched. That is the gap Akrites is built over: machines can now find flaws faster than a loose federation of unpaid maintainers can fix them, and the ratio is not close.
What the mechanism actually is
Strip away the framing and Akrites is two concrete things. The first is a shared Security Incident Response Team — a single SIRT that takes in vulnerability reports for critical open-source projects instead of each project fielding its own flood of them. The second is one standardized Coordinated Vulnerability Disclosure process, built, in the release's words, "on confidentiality-first principles" and the established security toolset — CVE, CVSS, EPSS, the industry's alphabet of severity scoring. A report comes in privately, gets triaged by the shared team, and a fix is returned to "each project's original repository on maintainers' terms." Rebecca Rumbul, who runs the Rust Foundation, named the exhaustion this is meant to relieve: "For too long, the goodwill among upstream maintainers has been taken for granted in security response."
Take that mechanism seriously and it is defensible, possibly necessary. A single maintainer of a library that sits under ten thousand companies should not have to personally absorb a machine-generated queue of vulnerability reports. Brian Fox, co-founder of Sonatype, gave the reason the whole thing scales: "A single vulnerable component can sit underneath thousands of organizations, which means one upstream fix can reduce risk across an entire ecosystem." One fix, everyone benefits. That is the honest case for a coordination layer, and it is a real one.
But notice what "confidentiality-first" means when you say it about open source specifically. The open-source model has always fixed its bugs in public — in the open issue tracker, the public commit, the mailing list anyone can read. Its transparency was not a side effect; it was the security model, the reason a million eyes could in principle catch what one pair missed. Akrites proposes to route the most serious flaws through a private channel first, on the theory that the eyes it now has to worry about belong to machines that read faster than the public can patch. That may well be the right trade. It is also, precisely, the introduction of a confidential front door to the most public code on earth — and confidential systems raise a different question than technical ones. Not is it secure. Who runs it, on whose terms, and how would you know.
The clause that transfers authority
One sentence in the release does more than the rest of it combined, and it is easy to read past. "Where a critical package has no active maintainer," it states, "Akrites will serve as maintainer of last resort so fixes to the latest version reach everyone in a timely fashion." Read it again. A great deal of the code holding up finance, health care, telecommunications and the power grid is maintained — when it is maintained at all — by volunteers, some of whom have drifted away, died, or simply stopped. For those packages, the consortium proposes to step in and ship the fix itself.
"Maintainer of last resort" is a coordination service on the page and a transfer of authority in practice: a private consortium acquiring standing to push code into infrastructure no one elected it to steward.
On the page that is a service. In practice it is a transfer of authority. "Maintainer of last resort" means the standing to push code into software that runs inside banks and hospitals, in cases where the volunteer who used to hold that authority is gone. Someone should probably hold it — an orphaned critical package is a genuine hazard. But the release does not say who, inside Akrites, decides that a package is orphaned, decides what the fix is, or decides when it ships. It says the consortium will do it. The identity of the party acquiring that power over unelected infrastructure is exactly the thing the announcement leaves blank.
Follow the money, and the lineage
The funding is disclosed, and it is worth stating plainly. Seed money comes from Alpha-Omega, a directed fund of the Linux Foundation that has issued more than 70 grants totaling over $20 million to open-source security projects since 2022. Alpha-Omega is itself backed by Microsoft, Google and Amazon. So the through-line is clean: the largest technology companies fund the fund, the fund seeds the consortium, and the consortium coordinates the defense of code those same companies build their products on. None of that is hidden. All of it means the defense of the commons is being organized and paid for by its largest commercial users — which is efficient, and which is also how a commons quietly acquires landlords.
This is not the first time the industry has discovered that critical open source runs on unpaid labor only after something broke. In 2014 the Heartbleed flaw in OpenSSL revealed that a library securing much of the web was maintained by a tiny, underfunded team, and the Core Infrastructure Initiative was stood up in response. In 2021 the Log4Shell vulnerability in Log4j — a logging library almost no executive had heard of and almost every enterprise ran — sent the industry, and eventually the White House, into a summit on open-source security, and hardened the Open Source Security Foundation that Akrites now builds on. In 2024 a backdoor was found, nearly by accident, hidden in XZ Utils by someone who had spent years earning a volunteer maintainer's trust. Each episode taught the same lesson: the software is critical, the maintainers are few, and no one is in charge. Akrites is the most institutional answer yet to that lesson. Mark Russinovich, Microsoft's Azure chief technology officer, framed it as continuity, citing his own role co-founding the earlier efforts: Akrites, he said, "was created to address the emerging inflection point of AI-powered vulnerability discovery and defense."
The counter-argument, stated at full strength
The rebuttal the member companies would offer is not weak, and it should be on the record. Their case is that the same AI collapsing the attacker-defender symmetry also arms the defenders — that the models finding flaws in minutes can fix them in minutes too, if someone builds the pipeline to do it. "Frontier AI models have given defenders the ability to find and fix vulnerabilities in open source software at a speed and scale that were never possible before," said Matt Wilson of AWS. On that reading the labs are not laundering a threat they created; they are funding the cleanup with the same tool, and the conflict of interest is really an alignment of interest — everyone, attacker and defender, is better off if the world's shared code is patched fast. Anthropic's deputy CISO, Jason Clinton, located the gap the effort is meant to close honestly: "the existing model for coordinated disclosure has been outpaced by how quickly AI can now find vulnerabilities." That is true, and it is a real reason to build something.
Here is where that argument runs out. Whether the labs' intentions are clean is not the question the structure raises. The question the structure raises is accountability: a private body, funded by the largest firms in the industry, is being handed a confidential intake for the most consequential software vulnerabilities and standing authority to patch orphaned infrastructure — and the mechanisms that would let anyone outside it check its work are the parts left unspecified. Good intentions do not answer who decides. They just make the absence of an answer easier to accept.
Where the record runs out
So here is what the announcement does not say, itemized, because the gaps are the accountability story. It does not disclose a budget beyond "seed funding," or what the member companies pay in, or whether they pay in at all. It does not name a governing board, or describe how decisions get made, or say whether Akrites is a distinct legal entity or a program running inside the Linux Foundation — one security outlet noted the entity structure is simply not stated. It does not name who holds disclosure authority: who decides a flaw stays confidential, for how long, and who is told before the public is. It does not give an operational date — when the SIRT starts taking reports, when "maintainer of last resort" becomes a live power rather than a sentence. Every one of those is a fair question to put to the Linux Foundation, and every one of them is currently blank.
That the mechanism is probably necessary and the gaps are probably fixable does not make the gaps disappear. The pattern in every open-source security scare of the last decade was the same: critical code, too few maintainers, no one accountable. Akrites finally puts someone in the room — nineteen someones, four of whom build the AI that made the room necessary. Whether that is stewardship or capture depends entirely on the answers to the questions the announcement declined to answer, and those answers are not in the document. They are in the bylaws no one has published, the disclosure policy no one has posted, and the governance no one has named. Until they are, the most honest thing to say about Project Akrites is the thing its own release is careful not to: a private consortium now stands at the confidential front door of the world's public code, and the public has been told what it will do, but not who decides.
References
- Linux Foundation — Industry leaders launch Akrites to defend critical open source against AI-enabled cyber threats
- PR Newswire — Full Akrites launch release and member quotes
- SD Times — Linux Foundation and industry leaders launch Akrites
- Help Net Security — Akrites open-source security framework: structure and scope
- Decrypt — Alpha-Omega seed funding and the 'maintainer of last resort' role
- DevOps.com — 'The latest attempt to protect open source from AI attacks'


