Skip to content
Tech News
← Back to articles

We All Depend on Open Source. We Will Defend It Together

2026-06-26 | original
read original more articles
Why This Matters

This article highlights the critical importance of open source software in supporting global infrastructure and the urgent need to defend it against rapidly evolving AI-driven vulnerabilities. The launch of Akrites marks the largest coordinated effort to enhance the security and resilience of open source projects, involving major industry players. This initiative underscores the collective responsibility of the tech industry to safeguard the foundational software that consumers and businesses rely on daily.

Key Takeaways

We All Depend on Open Source. We Will Defend It Together.

An open letter regarding the launch of Akrites – a coordinated effort to remediate vulnerabilities in the open source software the world runs on

For decades, open source has been one of the great achievements of technology – software we built together and came to depend on completely. Today, this code underpins the world’s critical infrastructure and services that people depend on every day: banking, telecommunications, utilities and more run on the same open source libraries. Over the years, the industry incorporated open source throughout tech stacks.

The world has now changed around it. Artificial intelligence has collapsed the previous equilibrium between attackers and defenders, changing the equation of ease and reuse of software. Finding a serious vulnerability in a major open source project used to take an expert weeks. This now takes a machine minutes, and often the AI model returns multiple vulnerabilities in a single pass. The same AI capability that can help harden our software will, in the wrong hands, turn vulnerability discovery into a pipeline. In turn, this has already accelerated the cycle to a pace that is rapidly outstripping maintainers’ capacity to patch vulnerabilities. This is not a theoretical future risk. It is the present condition of every system we are responsible for.

Today, we are announcing a plan for addressing this issue in critical open source software – Akrites is the largest coordinated effort in history to create systems and deploy tooling that leverages the collective power of the community to make everyone safer. We are joined by Amazon Web Services, Anthropic, Chainguard, Cisco, Citi, Endor Labs, Ericsson, Google, IBM, JPMorganChase, Microsoft and GitHub, NVIDIA, OpenAI, RapidFort, Red Hat, Rust Foundation, Sonatype, Vodafone, and Zscaler to find, fix, and responsibly disclose vulnerabilities in critical open source software and support the security of the critical infrastructure that depends upon it.

A large and growing percentage of the world’s technology and open source software we depend on is built from the same components, carries the same latent defects, and is now exposed to the same accelerated discovery. No vendor’s walls are high enough to make this someone else’s problem.

Previously, security response and disclosure involved a patchwork of organizations and teams, often working on the same problems and sometimes shipping conflicting patches or multiple reports. In this new environment, acting without coordination will worsen the problem and waste precious time.

When dozens of companies independently scan the same library and each file a report, we bury the maintainers under noise. Every additional party that holds an unpatched vulnerability raises the odds it will leak before there is a fix, increasing the risk to all of us. So we are stating plainly: We all depend on open source, and we will all defend it together.

Akrites is our commitment to act differently and to act upstream, where maintainers live and where we can proactively respond to this new reality. This approach provides one confidential, trusted place to coordinate discovery, remediation, and disclosure, matching or surpassing the speed of AI-assisted attackers. A shared, dedicated Security Incident Response Team gives maintainers a single, predictable partner instead of a hundred uncoordinated reports.

As Akrites works upstream to fix projects at the source, we commit to support downstream efforts to secure critical infrastructure before it can be exploited. When patches are released to the public, adversaries are able to utilize AI to rapidly reverse engineer the underlying vulnerabilities, develop exploits, and launch attacks. The success of our efforts therefore will be measured in patch deployment, not publication. We will partner with critical infrastructure owners and operators, civil society efforts, and governments as they increase coordination to achieve these goals.

... continue reading

Explore topics: open source akrites ai vulnerabilities software security tech stacks
Related:
Show HN: Secs-man, a secrets manager you can (not) rely on
Hey Nico, you didn't vibe code your data room but stole it from Papermark
Your enterprise AI agents should automatically remember which model is right for which task. Mindstone built the capability with Rebel
Minimus container images are now free
Vulnerability reports are not special anymore

© 2026 GoKawiil

About | Editorial Policy | Contact