Linux Foundation Launches Akrites to Standardize Open Source Vulnerability Remediation

The Linux Foundation on June 26, 2026, launched Akrites, an industry initiative designed to standardize how critical open source projects handle vulnerability remediation and disclosure. The project brings together technology companies, financial institutions, security vendors, AI companies, and open source projects to address a growing gap in coordinated response.

AI tools have shortened the average time between a vulnerability's discovery and its exploitation, according to the foundation, making rapid, coordinated patching more urgent than ever. Akrites aims to provide the infrastructure and processes needed to close that window.

Akrites aims to standardize vulnerability handling

Akrites will establish a common framework for reporting, patching, and disclosing security flaws in widely used open source software. The initiative will provide tools and communication channels that allow projects to coordinate with affected parties before public disclosure, reducing the risk of zero-day attacks.

• Participants include major technology companies, financial institutions, security vendors, and AI firms, though the foundation has not yet released a full member list.
• The project will create a shared repository for vulnerability reports and patch coordination, similar to the model used by the OpenSSF but focused on the entire lifecycle from discovery to disclosure.
• Akrites will also develop guidelines for handling AI-generated exploits, which can automate the creation of attack code from a vulnerability description.
• The initiative builds on existing work by the Linux Foundation's Open Source Security Foundation (OpenSSF) and the CNCF's security audits, such as the Cilium CI/CD hardening series that detailed credential isolation and release signing.

Context of rising supply chain attacks

The launch comes as software supply chain attacks continue to rise. The 2024 Sonatype report found a 156% increase in open source supply chain attacks year over year, and the average time to exploit a known vulnerability has dropped from weeks to days in some cases. Akrites is designed to give maintainers a structured way to respond before attackers can weaponize a flaw.

What comes next: The Linux Foundation plans to open Akrites to all open source projects in the coming months, with initial onboarding for projects that have already undergone security audits. The initiative will also work with existing vulnerability disclosure programs to avoid duplication of effort. Early adopters are expected to include projects from the CNCF ecosystem, where CI/CD security practices like those documented in the Cilium series are already being implemented.