AI security tools dropped the cost of finding a serious software vulnerability from weeks of expert effort to minutes of automated scanning. That means a popular library now receives the same bug described five different ways from five reporters in one week. Maintainers burn out sifting AI noise, and some just ignore all automated reports, real ones included. Akrites, a new industry consortium, aims to fix that with a shared, confidential Security Incident Response Team (SIRT).
Discovery Outran Defence, and Duplicates Buried the Signal
Akrites names the problem bluntly: discovery has outrun defence. Every organization scanning the same open source packages independently creates duplicate findings, overwhelming upstream maintainers and raising the odds of pre-patch leaks. AI tooling makes it trivially easy for anyone to find the same vulnerabilities, and most findings should be treated as immediately public knowledge. Banks only know their own dependencies; hospitals only know theirs. Neither sees a shared critical package until it is on fire.
One SIRT, One CVD Window, TLP:RED Throughout
Akrites operates as a centralized coordination facility. Every finding flows through a standardized path: intake, deduplication and validation, remediation, then synchronized disclosure. The SIRT merges duplicates into a single case, validates severity (using CVSS, EPSS, SSVC), and assigns ownership. Maintainers face one predictable partner running one Coordinated Vulnerability Disclosure (CVD) window, not a hundred independent reports. All case material stays TLP:RED until publication. The infrastructure uses isolated secure enclaves, analyst workbenches on shielded VMs, and strict access controls. Coordination relies on VINCE (the CERT/CC tool) and GitHub Private Reporting for upstream disclosure. Key standards include CVE, TLP 2.0, CWE, CVSS, EPSS, SSVC, VEX, and VINCE.
Three Membership Tiers, Open Source Projects Free
Premier members (critical infrastructure operators, vendors, platforms) get priority SIRT coordination and eligible for Governing Board nomination. General members (organizations wanting to help without large engineering resources) get forum participation, priority briefings, and named inclusion in transparency reports. Associate status is free for recognized open source foundations and projects. Akrites integrates with external finders like Glasswing, MITRE/CVE, Lightwell, and FIRST, but focuses on coordinating disclosure of their findings rather than just finding them.
The name comes from the Akritai, Byzantine frontier guardians who stood watch where threats arrived first. Akrites positions itself as the industry version of that watch for upstream open source, where defenses have been thinnest. If it scales, it could turn the flood of AI-generated vulnerability reports from a liability into a coordinated defense mechanism.
Source: Akrites: Coordinated, confidential vulnerability remediation for the open source software critical infrastructure depends on
Domain: akrites.org
Comments load interactively on the live page.