Software, AI companies form alliance to tackle open-source security flaws
Software, AI companies form alliance to tackle open-source security flaws
https://www.cybersecuritydive.com/news/software-ai-alliance-open-source-security-flaws/823889/
Publish Date: 2026-06-26 11:35:00
Source Domain: www.cybersecuritydive.com
Using an unordered list, summarize the following article with between 4 and 8 key points.
A coalition of technology companies, including Anthropic, AWS, IBM and Microsoft, announced a joint effort to find, disclose and remediate security flaws in open-source software.
The group, called Akrites, will establish a shared security incident response team as well as a coordinated vulnerability disclosure process.
The founding members, led by the Linux Foundation, will commit extensive resources to the effort, including funding, engineers and cybersecurity expertise.
Officials said the plan was mainly driven by the emergence of frontier AI models that radically accelerated the ability to discover vulnerabilities in critical software applications. In recent months, malicious actors have demonstrated the ability to weaponize AI for use in sophisticated attacks.
The existing open-source ecosystem does not have the ability to discover and remediate vulnerabilities fast enough to protect millions of users from potential attacks. The group outlined some of these concerns in an open letter to the industry.
“Artificial intelligence has collapsed the previous equilibrium between attackers and defenders, changing the equation of ease and reuse of software,” the coalition wrote in the letter.
Disclosure backlog
Akrites is designed to address some of the systemic challenges facing the open-source community in terms of developing a coordinated vulnerability disclosure process, according to Christopher Robinson, CTO of Open Source Security Foundation and chief security architect of the Linux Foundation.
The emergence of large language models and sophisticated scanning tools in recent years has made all of those historic challenges even more serious.
“Upstream projects are being inundated with vulnerability reports of varying degrees of quality which far exceeds these volunteer developers’ ability to evaluate and keep up,” Robinson told Cybersecurity Dive.
Seed funding for Akrites will be provided by Alpha Omega, which is a directed fund under the Linux Foundation. Other organizations are being asked to provide additional resources or engineering talent.
The open-source community has faced mounting concerns in recent years about the inability of traditional maintainers to quickly discover and disclose vulnerabilities in order to prevent widespread supply chain attacks.
Varun Badhwar, co-founder and CEO of Endor Labs, said more than 23,000 vulnerabilities were discovered just one month after the announcement of Project Glasswing, impacting about 1,000 open-source projects. These include about 6,000 vulnerabilities that were considered high severity or critical.
In addition, Glasswing’s partners found another 10,000 high-severity or critical flaws. Only 5% of these vulnerabilities have been fixed.
“No volunteer ecosystem was built to absorb that,” Badhwar told Cybersecurity Dive.
Other founding companies in Akrites include Cisco, Citi, JPMorgan Chase, NVIDIA, OpenAI, Ericsson and others.
