Pangram verdict · v3.3
We believe that this document is primarily human-written, with some AI-assisted content detected
AI likelihood · overall
MixedArticle text · 1,619 words · 5 segments analyzed
We All Depend on Open Source. We Will Defend It Together. An open letter regarding the launch of Akrites – a coordinated effort to remediate vulnerabilities in the open source software the world runs on For decades, open source has been one of the great achievements of technology – software we built together and came to depend on completely. Today, this code underpins the world’s critical infrastructure and services that people depend on every day: banking, telecommunications, utilities and more run on the same open source libraries. Over the years, the industry incorporated open source throughout tech stacks. The world has now changed around it. Artificial intelligence has collapsed the previous equilibrium between attackers and defenders, changing the equation of ease and reuse of software. Finding a serious vulnerability in a major open source project used to take an expert weeks. This now takes a machine minutes, and often the AI model returns multiple vulnerabilities in a single pass. The same AI capability that can help harden our software will, in the wrong hands, turn vulnerability discovery into a pipeline. In turn, this has already accelerated the cycle to a pace that is rapidly outstripping maintainers’ capacity to patch vulnerabilities. This is not a theoretical future risk. It is the present condition of every system we are responsible for. Today, we are announcing a plan for addressing this issue in critical open source software – Akrites is the largest coordinated effort in history to create systems and deploy tooling that leverages the collective power of the community to make everyone safer. We are joined by Amazon Web Services, Anthropic, Chainguard, Cisco, Citi, Endor Labs, Ericsson, Google, IBM, JPMorganChase, Microsoft and GitHub, NVIDIA, OpenAI, RapidFort, Red Hat, Rust Foundation, Sonatype, Vodafone, and Zscaler to find, fix, and responsibly disclose vulnerabilities in critical open source software and support the security of the critical infrastructure that depends upon it. A large and growing percentage of the world’s technology and open source software we depend on is built from the same components, carries the same latent defects, and is now exposed to the same accelerated discovery. No vendor’s walls are high enough to make this someone else’s problem. Previously, security response and disclosure involved a patchwork of organizations and teams, often working on the same problems and sometimes shipping conflicting patches or multiple reports.
In this new environment, acting without coordination will worsen the problem and waste precious time. When dozens of companies independently scan the same library and each file a report, we bury the maintainers under noise. Every additional party that holds an unpatched vulnerability raises the odds it will leak before there is a fix, increasing the risk to all of us. So we are stating plainly: We all depend on open source, and we will all defend it together. Akrites is our commitment to act differently and to act upstream, where maintainers live and where we can proactively respond to this new reality. This approach provides one confidential, trusted place to coordinate discovery, remediation, and disclosure, matching or surpassing the speed of AI-assisted attackers. A shared, dedicated Security Incident Response Team gives maintainers a single, predictable partner instead of a hundred uncoordinated reports. As Akrites works upstream to fix projects at the source, we commit to support downstream efforts to secure critical infrastructure before it can be exploited. When patches are released to the public, adversaries are able to utilize AI to rapidly reverse engineer the underlying vulnerabilities, develop exploits, and launch attacks. The success of our efforts therefore will be measured in patch deployment, not publication. We will partner with critical infrastructure owners and operators, civil society efforts, and governments as they increase coordination to achieve these goals. Confidentiality is non-negotiable: An undisclosed flaw in a widely deployed package is, in effect, a weapon, and the program is built first to prevent leaks. Fixes flow back into each project’s own home, working with the maintainers. The engineering resources and other capabilities provided by Akrites participants contribute to this effort. Additionally, when a critical package has no one maintaining it, Akrites will stand as the maintainer of last resort so a fix can still reach everyone in a timely fashion. We will also align with government efforts so that public and private defenders move together, rather than in a disjointed fashion. Akrites participants will contribute engineering resources; work to build and ship fixes; or fund the engineers who do. Some companies have contributed mightily already. The reality is, collectively, we need to contribute more. Today, the undersigned commit real resources — engineering talent, security expertise, and funding — to harden the software we share. We have benefited from the incredible work of maintainers over the decades.
As part of our responsibility and our commitment to open source we will meet this moment together, as partners, and make all of us safer. The window is open now to get ahead of the new open source security risk reality, but it will not stay open. Together, we can take on the new risks while leaving behind a legacy of support and commitment to open source that secures the world’s technology systems for years to come. Patch the commons together. – The undersigned, June 25, 2026
Amazon Web Services “Frontier AI models have given defenders the ability to find and fix vulnerabilities in open source software at a speed and scale that were never possible before. That’s an enormous opportunity for defenders, and Akrites ensures we seize it together. Maintainers deserve a coordinated partnership, not a flood of reports. AWS is committed to securing the projects our customers depend on and building this shared infrastructure alongside the community.” – Matt Wilson, Vice President and Distinguished Engineer, Amazon Web Services
Anthropic “Open source projects collectively underpin much of the internet, and the existing model for coordinated disclosure has been outpaced by how quickly AI can now find vulnerabilities. Getting ahead of that requires the industry to coordinate on findings and get fixes upstream before they’re disclosed and exploited. Efforts like Akrites drive this level of coordination at the scale and speed this moment requires.” – Jason Clinton, Deputy Chief Information Security Officer, Anthropic
Chainguard “The software supply chain is only as strong as the upstream it draws from, and we see how thin that layer really is. As AI finds more vulnerabilities, the industry will rush to patch them. Without coordination, those fixes will fragment across different patches and forks, and maintainers who are already overwhelmed, unreachable, or haven’t touched a project in years. Akrites gives the industry one coordinated way to fix vulnerabilities upstream before they’re exploited, with maintainers still in control. Now the work is making sure there’s always someone on the other end to catch them.” – Dan Lorenc, CEO and Co-founder, Chainguard
Cisco “Finding a serious open source vulnerability used to take an expert weeks. It now takes a machine minutes. When maintainers lose that race, so does everyone else. No single company, no single maintainer, and no single government can close that gap alone.
That is why Cisco is bringing its networking infrastructure, security expertise, and decades of open source contribution to Akrites – because defenders cannot afford to lose, and maintainers cannot be left to run this alone.” – Vijoy Pandey, SVP and GM, Outshift by Cisco
Citi “Advances in AI models have significantly reduced the effort required to discover and exploit vulnerabilities. In partnership with the Linux Foundation and Project Akrites, Citi is committed to supporting the open-source ecosystem by helping to build a framework that identifies and remediates vulnerabilities and shares proposed patches. Focused on securing critical infrastructure, this initiative is a key part of our efforts to help the industry mitigate emerging threats.” – Al Tarasiuk, Chief Information Security Officer, Citi
CNCF ” Open source cloud native infrastructure is the operational backbone of modern production software.
When a vulnerability exists in a component that runs across thousands of Kubernetes clusters and cloud native deployments, the blast radius is enormous. Akrites addresses the coordination problem that has always made large-scale remediation so difficult: getting the right people, with the right context, working on the right fixes before the window closes. CNCF and OpenInfra are proud to support an effort that treats the open source ecosystem as the shared critical infrastructure it is.” – Jonathan Bryce, Executive Director, Cloud Native Computing Foundation (CNCF)
Endor Labs “For years we have believed finding vulnerabilities was never the hard part. Fixing them was. AI has made that gap impossible to ignore. Of the thousands of validated open source vulnerabilities surfaced in recent months, fewer than 5% have been patched. Endor Labs is a founding member of Akrites because it is built for the response this moment needs: coordinated remediation upstream, handled confidentially, with maintainers in control, so one trusted fix reaches everyone who depends on the code.” – Varun Badhwar, CEO and Co-Founder, Endor Labs
Ericsson Vulnerability discovery is now moving at a speed that overwhelms both the maintainers who sustain open source projects and the users who rely on them. Uncoordinated reporting, patching, and disclosure create friction, putting the entire ecosystem at risk. No single organization can solve this alone. That is why Ericsson is joining Akrites as a Premier member, contributing funding and talent to a shared effort to keep open source software secure and thriving. – Per Beming, Chief Standardization Officer, Ericsson
Google “As AI accelerates both the scale and speed of vulnerability discovery, defending the open source ecosystem requires an equally rapid, coordinated response. By joining Akrites, we are combining Google’s long-standing commitment to open source security with industry-wide expertise to ensure that vulnerabilities are found, fixed, and responsibly disclosed before they can be exploited.