Fewer Than 5% of AI-Found Open Source Vulnerabilities Get Patched. Akrites Is the Industry's Fix.

AI compressed vulnerability discovery from weeks to minutes. The patching pipeline didn't keep up. 19 organizations - including direct competitors - launched Akrites to fix that.

Saganote
Saganote ·
3 Min Read

Linux Foundation launched Project Akrites on June 25 - a coordinated effort to find, fix, and disclose vulnerabilities in the open source software critical infrastructure runs on. Frontier AI models can scan a major open source project and surface vulnerabilities in minutes. That used to take a domain expert weeks. Project Akrites is the patching side of that equation, backed by 19 founding organizations including AWS, Anthropic, Cisco, Google, Microsoft, Nvidia, and OpenAI.

AI Found Thousands of Open Source Vulnerabilities. Fewer Than 5% Got Patched.

Vulnerability discovery accelerated. Patch velocity did not. Endor Labs, one of Akrites' founding members, reported that of the thousands of validated open source vulnerabilities AI tools surfaced in recent months, fewer than 5% received patches. Getting that fix rate from 5% toward something approaching 100% - at machine speed - is the stated goal of the initiative.

Cisco SVP Vijoy Pandey framed the asymmetry: a serious open source vulnerability used to demand weeks of expert work to find. AI does it in minutes. Once that speed reaches bad actors broadly - not just companies with security teams the size of Cisco's - defenders lose their time advantage entirely. Supply chain attacks like the LastPass breach came through exactly the kind of unmaintained upstream dependency that Akrites is built to address.

One SIRT, One CVD Process - Not a Flood of Duplicate Reports

Before Akrites, open source vulnerability response followed a patchwork model. Akrites changes that model. Organizations would independently find the same flaw, ship conflicting patches, and flood already-stretched maintainers with duplicate reports. Akrites replaces that with a single shared Security Incident Response Team and a standardized Coordinated Vulnerability Disclosure process built on CVE, CVSS, EPSS, SSVC, VEX, and other established industry standards.

Confidentiality is the design principle. Bug fixes return to each project's original repository on maintainers' own terms. Where a critical package has no active maintainer - a common reality for open source infrastructure that banks, hospitals, and power grids depend on without always knowing it - Akrites will serve as maintainer of last resort, ensuring fixes reach everyone who depends on the code before they can be exploited.

Competing AI Labs. Same Security Framework. One Joint Letter.

19 organizations signed Akrites' founding commitment. Even direct rivals signed. AWS and Google, Anthropic and OpenAI, Red Hat and Microsoft all committed to the same SIRT and disclosure process, alongside Cisco, Citi, IBM, JPMorganChase, Nvidia, Rust Foundation, Vodafone, Zscaler, Chainguard, Endor Labs, RapidFort, Sonatype, and Ericsson. Competing AI labs sharing a coordinated vulnerability disclosure framework would have seemed unlikely before AI gave attackers the ability to find open source flaws faster than any single organization can patch them. To mark the launch, founding signatories published a joint open letter at akrites.org: "We All Depend on Open Source. We Will Defend It Together."

Anthropic's Fable 5 cybersecurity safeguards published last week detailed exactly how frontier AI compresses attack timelines - Akrites is the upstream, coordinated response to the same problem. Akrites measures success in patch deployment, not patch publication. JPMorganChase CISO Pat Opet put the standard plainly: "AI has massively compressed the time between vulnerability discovery and exploitation to near real time, which means we have to compress the time from fix to deployment." Whether the industry can close the gap between 5% patched and the 95% still exposed is what the project now has to prove.


Share this
Previous
AI Claimed 31% of All June Job Cuts. Tech Employers Cut 83% More People Than Last Year.

AI Claimed 31% of All June Job Cuts. Tech Employers Cut 83% More People Than Last Year.

Jul 3, 2026

Saganote

About Author

Saganote

Saganote is an independent technology publication covering artificial intelligence, startups, cybersecurity, consumer technology, science, and innovation. Our editorial team reports on the companies, products, and ideas shaping the future.