Finding a serious vulnerability in a major open source project used to take an expert weeks; today, an AI model can do it in minutes and return multiple flaws in a single pass. That's the new equilibrium attackers and defenders share, and it is already outstripping maintainers' capacity to patch.
AI Collapses the Attacker-Defender Timeline
Akrites, the open source security initiative announced June 25, 2026, names the problem plainly: the same AI capability that helps harden software will, in the wrong hands, turn vulnerability discovery into a pipeline. Amazon Web Services, Anthropic, Chainguard, Cisco, Citi, Endor Labs, Ericsson, Google, IBM, JPMorganChase, Microsoft and GitHub, NVIDIA, OpenAI, RapidFort, Red Hat, Rust Foundation, Sonatype, Vodafone, and Zscaler all signed on to the letter. No single vendor's walls are high enough to make this someone else's problem.
Previously, security response involved a patchwork of organizations shipping conflicting patches or filing duplicate reports. When dozens of companies independently scan the same library, maintainers get buried under noise. Every additional party holding an unpatched vulnerability raises the odds it leaks before a fix exists.
One Shared IRT Instead of a Hundred Reports
Akrites provides one confidential, trusted place to coordinate discovery, remediation, and disclosure. A shared Security Incident Response Team gives maintainers a single predictable partner instead of a hundred uncoordinated reports. The program is built to match or surpass the speed of AI-assisted attackers.
Confidentiality is non-negotiable: an undisclosed flaw in a widely deployed package is a weapon. Fixes flow back into each project's own home, working with the maintainers. When a critical package has no maintainer, Akrites will stand as the maintainer of last resort so a fix can still reach everyone in a timely fashion.
Patch Deployment Becomes the Metric
When patches are released publicly, adversaries can use AI to rapidly reverse engineer the underlying vulnerabilities, develop exploits, and launch attacks. That is why Akrites measures success in patch deployment, not publication. The effort will partner with critical infrastructure owners, civil society, and governments to achieve that.
Participants contribute engineering resources, security expertise, and funding. The letter states plainly: we have benefited from the work of maintainers for decades, and now the window is open to get ahead of the new reality, but it will not stay open.
Source: We All Depend on Open Source. We Will Defend It Together
Domain: akrites.org
Comments load interactively on the live page.