# Linux Foundation联合20家科技企业发起Akrites倡议，修补开源软件漏洞以抵御AI攻击

- 来源：The Decoder：AI News（RSS）
- 作者：Maximilian Schreiner
- 发布时间：2026-06-26 18:07
- AIHOT 分数：65
- AIHOT 链接：https://aihot.virxact.com/items/cmqurr0f706wjsl80ica7ae8h
- 原文链接：https://the-decoder.com/linux-foundation-and-20-tech-giants-launch-akrites-to-fix-open-source-flaws-before-ai-powered-attacks-hit

## AI 摘要

Linux Foundation与约20家科技企业、AI实验室和银行共同发起Akrites倡议，旨在AI工具利用漏洞前修补关键开源软件的安全缺陷。创始成员包括Amazon Web Services、Anthropic、Cisco、Google、Microsoft、NVIDIA、OpenAI等。当前开源安全响应模式碎片化，过去数月经验证的漏洞中仅不到5%被打补丁。Akrites设立共享安全事件响应团队，通过CVE、CVSS、TLP等标准保密处理报告、去重并协调修复。对于无活跃维护者的项目，将作为“最后维护者”自行发布补丁。种子资金来自Linux Foundation下的Alpha-Omega专项基金。

## 正文

Linux Foundation and 20 tech giants launch Akrites to fix open-source flaws before AI-powered attacks hit

Maximilian Schreiner View the LinkedIn Profile of Maximilian Schreiner

Jun 26, 2026

Nano Banana Pro prompted by THE DECODER

Key Points

The Linux Foundation and about 20 tech companies have launched the Akrites initiative to protect open-source software vulnerabilities from AI-powered attacks.

As AI models can scan code in minutes and give even non-experts the tools for complex attacks, Akrites replaces the current uncoordinated system for reporting security flaws.

A central team will vet reports confidentially and coordinate fixes. For abandoned projects, the initiative will ship the needed patches itself.

About twenty tech companies, AI labs, and banks are joining forces through Akrites to fix vulnerabilities in critical open-source software before AI tools can exploit them.

The Linux Foundation has announced Akrites, a coordinated industry initiative to patch security flaws in widely used open-source software alongside maintainers before attackers can take advantage. Founding members include Amazon Web Services, Anthropic, Cisco, Citi, Google, IBM, JPMorganChase, Microsoft, NVIDIA, OpenAI, Red Hat, the Rust Foundation, Vodafone, and Zscaler.

The reason is a shift in the balance of power: finding and fixing serious bugs in open-source code used to require comparable expertise on both sides. Modern AI models can now scan a large project in minutes instead of weeks, exposing flaws far faster. Once those abilities are widely available, even attackers without deep technical skills get the tools for sophisticated exploits.

The Linux Foundation describes the current security response model as patchwork. Many organizations scan the same packages independently, report the same findings multiple times, and sometimes deliver conflicting patches. Maintainers get buried under duplicates while real, exploitable bugs get lost in AI-generated noise. Endor Labs CEO Varun Badhwar put the urgency in sharp terms: of thousands of validated open-source vulnerabilities from recent months, fewer than five percent have been patched.

One shared response team instead of a hundred separate reports

At the core of Akrites is a shared Security Incident Response Team (SIRT). It acts as a single, reliable point of contact for open-source project maintainers instead of dozens of organizations independently flagging the same flaws. The team vets incoming reports, filters out duplicates, and then coordinates fixes.

Akrites uses a standardized process for confidential vulnerability disclosure, known in the industry as Coordinated Vulnerability Disclosure. It builds on established standards like the CVE identifier system, the CVSS severity scoring framework, and the TLP traffic-light protocol that governs who gets to see what. Confidentiality is central: every report starts at TLP:RED, the highest classification level, and only the assigned case team can access it. That way, details about a flaw don't leak before a patch is ready.

Maintainers keep control even when there are none left

Finished fixes flow back into the original project on the maintainer's terms keeping developers in control. When a critical package no longer has an active maintainer - a common problem with volunteer-run projects - Akrites plans to step in as a "maintainer of last resort" and ship the fix itself, so the patch reaches all users in time. The initiative also plans to coordinate with government agencies so private and public defenders move in lockstep.

Seed funding comes from Alpha-Omega, a directed fund under the Linux Foundation. Other organizations that want to contribute engineering resources or funding are invited to join.
