We All Depend on Open Source. We Will Defend It Together.
An open letter regarding the launch of Akrites – a coordinated effort to remediate vulnerabilities in the open source software the world runs on
For decades, open source has been one of the great achievements of technology – software we built together and came to depend on completely. Today, this code underpins the world’s critical infrastructure and services that people depend on every day: banking, telecommunications, utilities and more run on the same open source libraries. Over the years, the industry incorporated open source throughout tech stacks.
The world has now changed around it. Artificial intelligence has collapsed the previous equilibrium between attackers and defenders, changing the equation of ease and reuse of software. Finding a serious vulnerability in a major open source project used to take an expert weeks. This now takes a machine minutes, and often the AI model returns multiple vulnerabilities in a single pass. The same AI capability that can help harden our software will, in the wrong hands, turn vulnerability discovery into a pipeline. In turn, this has already accelerated the cycle to a pace that is rapidly outstripping maintainers’ capacity to patch vulnerabilities. This is not a theoretical future risk. It is the present condition of every system we are responsible for.
Today, we are announcing a plan for addressing this issue in critical open source software – Akrites is the largest coordinated effort in history to create systems and deploy tooling that leverages the collective power of the community to make everyone safer. We are joined by Amazon Web Services, Anthropic, Chainguard, Cisco, Citi, Endor Labs, Ericsson, Google, IBM, JPMorganChase, Microsoft and GitHub, NVIDIA, OpenAI, RapidFort, Red Hat, Rust Foundation, Sonatype, Vodafone, and Zscaler to find, fix, and responsibly disclose vulnerabilities in critical open source software and support the security of the critical infrastructure that depends upon it.
A large and growing percentage of the world’s technology and open source software we depend on is built from the same components, carries the same latent defects, and is now exposed to the same accelerated discovery. No vendor’s walls are high enough to make this someone else’s problem.
Previously, security response and disclosure involved a patchwork of organizations and teams, often working on the same problems and sometimes shipping conflicting patches or multiple reports. In this new environment, acting without coordination will worsen the problem and waste precious time.
When dozens of companies independently scan the same library and each file a report, we bury the maintainers under noise. Every additional party that holds an unpatched vulnerability raises the odds it will leak before there is a fix, increasing the risk to all of us. So we are stating plainly: We all depend on open source, and we will all defend it together.
Akrites is our commitment to act differently and to act upstream, where maintainers live and where we can proactively respond to this new reality. This approach provides one confidential, trusted place to coordinate discovery, remediation, and disclosure, matching or surpassing the speed of AI-assisted attackers. A shared, dedicated Security Incident Response Team gives maintainers a single, predictable partner instead of a hundred uncoordinated reports.
As Akrites works upstream to fix projects at the source, we commit to support downstream efforts to secure critical infrastructure before it can be exploited. When patches are released to the public, adversaries are able to utilize AI to rapidly reverse engineer the underlying vulnerabilities, develop exploits, and launch attacks. The success of our efforts therefore will be measured in patch deployment, not publication. We will partner with critical infrastructure owners and operators, civil society efforts, and governments as they increase coordination to achieve these goals.
Confidentiality is non-negotiable: An undisclosed flaw in a widely deployed package is, in effect, a weapon, and the program is built first to prevent leaks. Fixes flow back into each project’s own home, working with the maintainers. The engineering resources and other capabilities provided by Akrites participants contribute to this effort. Additionally, when a critical package has no one maintaining it, Akrites will stand as the maintainer of last resort so a fix can still reach everyone in a timely fashion. We will also align with government efforts so that public and private defenders move together, rather than in a disjointed fashion.
Akrites participants will contribute engineering resources; work to build and ship fixes; or fund the engineers who do. Some companies have contributed mightily already. The reality is, collectively, we need to contribute more.
Today, the undersigned commit real resources — engineering talent, security expertise, and funding — to harden the software we share. We have benefited from the incredible work of maintainers over the decades. As part of our responsibility and our commitment to open source we will meet this moment together, as partners, and make all of us safer.
The window is open now to get ahead of the new open source security risk reality, but it will not stay open. Together, we can take on the new risks while leaving behind a legacy of support and commitment to open source that secures the world’s technology systems for years to come.
Patch the commons together.
– The undersigned, June 25, 2026
Amazon Web Services
“Frontier AI models have given defenders the ability to find and fix vulnerabilities in open source software at a speed and scale that were never possible before. That’s an enormous opportunity for defenders, and Akrites ensures we seize it together. Maintainers deserve a coordinated partnership, not a flood of reports. AWS is committed to securing the projects our customers depend on and building this shared infrastructure alongside the community.”
– Matt Wilson, Vice President and Distinguished Engineer, Amazon Web Services
Anthropic
“Open source projects collectively underpin much of the internet, and the existing model for coordinated disclosure has been outpaced by how quickly AI can now find vulnerabilities. Getting ahead of that requires the industry to coordinate on findings and get fixes upstream before they’re disclosed and exploited. Efforts like Akrites drive this level of coordination at the scale and speed this moment requires.”
– Jason Clinton, Deputy Chief Information Security Officer, Anthropic
Chainguard
“The software supply chain is only as strong as the upstream it draws from, and we see how thin that layer really is. As AI finds more vulnerabilities, the industry will rush to patch them. Without coordination, those fixes will fragment across different patches and forks, and maintainers who are already overwhelmed, unreachable, or haven’t touched a project in years. Akrites gives the industry one coordinated way to fix vulnerabilities upstream before they’re exploited, with maintainers still in control. Now the work is making sure there’s always someone on the other end to catch them.”
– Dan Lorenc, CEO and Co-founder, Chainguard
Cisco
“Finding a serious open source vulnerability used to take an expert weeks. It now takes a machine minutes. When maintainers lose that race, so does everyone else. No single company, no single maintainer, and no single government can close that gap alone. That is why Cisco is bringing its networking infrastructure, security expertise, and decades of open source contribution to Akrites – because defenders cannot afford to lose, and maintainers cannot be left to run this alone.”
– Vijoy Pandey, SVP and GM, Outshift by Cisco
Citi
“Advances in AI models have significantly reduced the effort required to discover and exploit vulnerabilities. In partnership with the Linux Foundation and Project Akrites, Citi is committed to supporting the open-source ecosystem by helping to build a framework that identifies and remediates vulnerabilities and shares proposed patches. Focused on securing critical infrastructure, this initiative is a key part of our efforts to help the industry mitigate emerging threats.”
– Al Tarasiuk, Chief Information Security Officer, Citi
CNCF
” Open source cloud native infrastructure is the operational backbone of modern production software. When a vulnerability exists in a component that runs across thousands of Kubernetes clusters and cloud native deployments, the blast radius is enormous. Akrites addresses the coordination problem that has always made large-scale remediation so difficult: getting the right people, with the right context, working on the right fixes before the window closes. CNCF and OpenInfra are proud to support an effort that treats the open source ecosystem as the shared critical infrastructure it is.”
– Jonathan Bryce, Executive Director, Cloud Native Computing Foundation (CNCF)
Endor Labs
“For years we have believed finding vulnerabilities was never the hard part. Fixing them was. AI has made that gap impossible to ignore. Of the thousands of validated open source vulnerabilities surfaced in recent months, fewer than 5% have been patched. Endor Labs is a founding member of Akrites because it is built for the response this moment needs: coordinated remediation upstream, handled confidentially, with maintainers in control, so one trusted fix reaches everyone who depends on the code.”
– Varun Badhwar, CEO and Co-Founder, Endor Labs
Ericsson
Vulnerability discovery is now moving at a speed that overwhelms both the maintainers who sustain open source projects and the users who rely on them. Uncoordinated reporting, patching, and disclosure create friction, putting the entire ecosystem at risk. No single organization can solve this alone. That is why Ericsson is joining Akrites as a Premier member, contributing funding and talent to a shared effort to keep open source software secure and thriving.
– Per Beming, Chief Standardization Officer, Ericsson
Google
“As AI accelerates both the scale and speed of vulnerability discovery, defending the open source ecosystem requires an equally rapid, coordinated response. By joining Akrites, we are combining Google’s long-standing commitment to open source security with industry-wide expertise to ensure that vulnerabilities are found, fixed, and responsibly disclosed before they can be exploited. Safeguarding the software that powers the world’s critical infrastructure is essential to maintaining trust in our digital future.”
– Heather Adkins, VP Security Engineering, Google
JPMorganChase
“AI has massively compressed the time between vulnerability discovery and exploitation to near real time, which means we have to compress the time from fix to deployment. That’s why we at JPMorganChase are helping to build this effort to measure success in patch deployment, not patch publication. We support a mechanism that enables downstream operators of critical infrastructure so that fixes reach real systems before adversaries can turn disclosures into exploits. And upstream, we owe maintainers a single, reliable signal: confirmed vulnerabilities, well-tested proposed fixes, and a predictable partner they can trust, rather than a flood of duplicative, conflicting reports.”
– Pat Opet, Chief Information Security Officer, JPMorganChase
IBM
“Open source powers the systems we rely on every day—running everything from banks and hospitals to power grids and AI platforms,” said Jamie Thomas, IBM Enterprise Security Executive. “As frontier AI accelerates vulnerability discovery, the risk has grown too large for any one organization to address alone. That’s why an ecosystem approach is critical, bringing the community, technology providers, and enterprises together to ensure vulnerabilities are addressed collaboratively and at the new speed required today.”
– Jamie Thomas, IBM Enterprise Security Executive
LF Energy
“LF Energy supports the industry coming together to improve the security of the open source software our energy systems depend on. Our projects operate in critical infrastructure, from grid operations and substations to EV charging networks, so the integrity of that software supply chain matters enormously. We back a coordinated, upstream-friendly approach that works alongside maintainers and shares the investment in keeping critical open source components secure.”
– Alex Thornton, Executive Director, LF Energy
Microsoft & GitHub
“OpenSSF and Alpha-Omega demonstrated what is possible when industry comes together to strengthen open source security. Building on our experience co-founding these organizations, Akrites was created to address the emerging inflection point of AI-powered vulnerability discovery and defense. As a founding member, Microsoft will contribute expertise, resources, and AI technologies to help responsibly identify and fix vulnerabilities across the open source software ecosystem that customers and organizations depend on.”
– Mark Russinovich, Azure CTO, Deputy CISO and Technical Fellow
NVIDIA
“Transparency and open collaboration are how the cybersecurity community has kept infrastructure safe for decades. In the age of AI, these open source foundations have never been more critical. Open source AI is the engine of American innovation — and one of our most powerful tools for deploying AI with the security, trust, and transparency needed to power this industrial revolution.”
– David Reber, Chief Security Officer, NVIDIA
OpenInfra
“AI-powered vulnerability discovery is rapidly increasing the workload facing open source security and vulnerability management teams. To put this in perspective, the OpenStack community issued 20 security advisories this quarter alone, compared with just two advisories during all of 2025. As the volume of reported issues continues to accelerate, the OpenInfra Foundation welcomes efforts that help critical open source infrastructure projects manage this growing influx of findings effectively upstream.”
– Thierry Carrez, GM, OpenInfra Foundation
OpenJS
“The OpenJS Foundation believes improving open source security is a shared responsibility. As organizations increasingly use automated tools to identify potential vulnerabilities, collaborative approaches that help validate findings, reduce noise, and support coordinated remediation are essential. We welcome efforts that strengthen the relationship between industry and maintainers while helping improve the security and resilience of the open source software ecosystem.”
– Robin Bender Ginn, Executive Director, OpenJS Foundation
OpenSSF
“The rapid pace of AI driven vulnerability discovery is a new reality that no single team can face alone. OpenSSF stands firmly in support of this mission because it prioritizes the health of the open source projects we share. This coordinated approach allows us to secure our community and build the resilience we need for the future.”
– Steve Fernandez, General Manager, OpenSSF
PyTorch Foundation
“Open source foundations exist to create the conditions for the industry to do hard work together that no single organization can do alone. Security is no different. AI has fundamentally changed the math on vulnerability discovery, and going it alone is no longer just inefficient; it’s dangerous. Efforts like Akrites pave the way for the widest possible participation and the largest possible impact.”
– Mark Collier, Executive Director, PyTorch Foundation
RapidFort
“Open source only works when we keep the work open, upstream, and available to everyone who depends on it. The answer to the AI-driven vulnerability crisis is not to fragment the ecosystem behind proprietary walls or turn community foundations into closed products. It must be coordinated remediation that preserves the integrity of original software, works with maintainers, and returns fixes to the commons. We are proud to support the Akrites initiative which aligns with our belief of strengthening the open source ecosystem from within, helping organizations reduce risk without unnecessary code changes, and making the software we all share safer for everyone.”
– Mehran Farimani, CEO, RapidFort
Red Hat
“Open source is the foundation of modern software innovation. Defending that foundation requires a coordinated, upstream community response capable of meeting threats at scale. Red Hat’s participation in Akrites focuses on strengthening this upstream ecosystem. By collaborating openly to identify and patch vulnerabilities at the source, we help build a more resilient software supply chain for the entire industry.”
– Chris Wright, Chief Technology Officer and Senior Vice President, Global Engineering, Red Hat
Rust Foundation
“For too long, the goodwill and sense of responsibility among upstream maintainers has been taken for granted in security response processes. Akrites promises meaningful coordination with upstream maintainers, financial, and full-time support to find, fix and disclose security vulnerabilities responsibly, and a genuine commitment from the most influential companies across tech and finance to solve this problem. The Rust Foundation looks forward to working with Akrites to develop security that is fit for the future.”
– Rebecca Rumbul, Executive Director & CEO, Rust Foundation
Sonatype
“Sonatype sees the dependency graph of the modern world every day. A single vulnerable component can sit underneath thousands of organizations, which means one upstream fix can reduce risk across an entire ecosystem. AI may make vulnerability discovery dramatically easier, but it does not make coordinated repair automatic. Akrites is important because it gives the industry a confidential way to do that work together, upstream, before the same flaw becomes thousands of separate incidents.
– Brian Fox, Co-founder and CTO, Sonatype, and Steward of Maven Central
Vodafone
“With the increasing ability of AI to fast-track vulnerability discovery, now is the right time to come together and invest resources to safeguard critical open-source software on which telecommunications and many other industries rely on. As a founding member, Vodafone has committed both expertise and funding to Akrites. This unified initiative will drive a co-ordinated, industry-wide approach to responsibly identify and fix vulnerabilities in the software that runs the systems upon which the world depends.”
– Paul Hopkins, Cyber & IT strategy and Architecture Director, Vodafone
Zscaler
“AI has changed the speed of both offense and defense. Vulnerabilities can now be found at machine speed, which means defenders have to move just as fast. Akrites helps turn that speed into an advantage for the open source ecosystem by finding issues earlier, coordinating remediation responsibly, and pushing fixes upstream. Zscaler is proud to be part of it.”
– Deepen Desai, EVP and Chief Security Officer, Zscaler