The name Akrites is derived from Akritai — the Byzantine Empire’s frontier guardians, who stood watch where threats arrived first and defenses were thinnest.
It’s not news that the advent of powerful AI models has brought increased security concerns to software in general. This is particularly true for open source software, where source code is readily available.
Many still think that the “many eyes” philosophy is an open source security feature, because it means that security vulnerabilities are likely to be discovered and patched ahead of zero-day exploits. However, the quickness with which black hats armed with AI can find and exploit vulnerabilities is changing the playing field. We saw this in action last month, when AI surfaced three serious vulnerabilities in Linux in a single week.
Not to fear. A group of organizations that develop, use, and secure open source software have come together under the Linux Foundation’s umbrella to launch Akrites, which is vowing to defend critical open source software against AI-enabled cyber threats.
This is good news, given that a recent report from the Linux Foundation and OpenSSF estimates that 96% of codebases include FOSS.
“Finding a serious vulnerability in a major open source project used to take an expert weeks,” the newly formed organization said in an open letter it published on Thursday. “This now takes a machine minutes, and often the AI model returns multiple vulnerabilities in a single pass. The same AI capability that can help harden our software will, in the wrong hands, turn vulnerability discovery into a pipeline.”
While this effort is focused on big enterprise use of FOSS, I can’t see how it can fail to benefit everyday Linux users who use open source at home the way their neighbors use Microsoft and Apple — but more on that later.
Inside Akrites
Traditionally, software vendors and developers have pretty much had to go it alone when it comes to security. However, groups such as Akrites that collectively attack security issues are becoming the rule rather than the exception. For example, these days the Linux Foundation is also the home of OpenSSF, an organization with a general focus on open source security, and Cloud Security Alliance, where enterprises collaborate on cloud and emerging tech security standards, best practices, and research.
Both of those projects are backed by companies that are leaders in their respective fields. Similarly, the list of organizations that have already signed on to be a part of Akrites looks something like a Who’s Who of enterprise tech, and includes Amazon Web Services, Anthropic, Chainguard, Cisco, Citi, Endor Labs, Ericsson, Google, IBM, JPMorgan Chase, Microsoft and GitHub, NVIDIA, OpenAI, RapidFort, Red Hat, Rust Foundation, Sonatype, Vodafone and Zscaler.
Akrites’ focus is entirely on AI-enabled security issues. The idea is to provide a single, trusted place for coordination, remediation, and disclosure. This includes a shared Security Incident Response Team, staffed by the project’s members, to offer a coordinated approach. The idea is to work directly with critical infrastructure to support patch deployment before vulnerable systems can be targeted.
“Vulnerability discovery is now moving at a speed that overwhelms both the maintainers who sustain open source projects and the users who rely on them,” Per Beming, chief standardization officer at the Swedish networking and telecom provider Ericsson, said in a statement. “Uncoordinated reporting, patching, and disclosure create friction, putting the entire ecosystem at risk. No single organization can solve this alone.”
Who’s the Beneficiary
From what I can see, everybody that touches Free Software will benefit from Akrites’ efforts, from IBM down to everyday Linux users. That’s how it looks on paper, anyway. Time will tell how it works out in real life.
The organization says that bug fixes will flow back to the originating project, and on the project’s maintainers’ terms:
“Where a critical package has no active maintainer, Akrites will serve as maintainer of last resort so fixes to the latest version reach everyone in a timely fashion. The initiative will also coordinate with government efforts so public and private defenders move together.”
So far, that sounds good to me.
The organization is structured into two main paid membership groups, headed by Premier members, which I’m guessing includes all of the organizations that are on the list released Thursday.
According to Akrites’ website, Premier members represent critical infrastructure operators, along with the vendors and platforms they depend on. They’re the priority SIRT coordinators and are eligible for nomination to the Governing Board. The second membership level, General, is composed of organizations that want to help but lack the ability to commit large engineering resources. They will participate in forums and working groups, with priority access to member briefings and named participation in transparency reports.
The third group, Associate, is where my hope lies if this is to be an organization that truly works for the FOSS community and not just big tech. Membership in this group is given to recognized open source foundations and projects, at no cost, but with a caveat that gives me pause to wonder: evidently you can’t apply to join at this level. Associates are invited by the Governing Board — “at their discretion” — to coordinate with working groups.
I’m hoping that this group becomes huge, so that every project that produces software that’s important enough to be included in the repositories of most Linux distributions will have a seat and a say.
“Open source only works when we keep the work open, upstream, and available to everyone who depends on it,” said Mehran Farimani, CEO of RapidFort, a software supply chain security and attack surface management platform. “The answer to the AI-driven vulnerability crisis is not to fragment the ecosystem behind proprietary walls or turn community foundations into closed products. It must be coordinated remediation that preserves the integrity of original software, works with maintainers, and returns fixes to the commons.”
Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux
Be First to Comment