Explore top 10 tips to secure your open-source projects now. Read More
×The Linux Foundation has officially launched Akrites , a coordinated industry initiative designed to improve how critical open source vulnerabilities are validated, coordinated, and disclosed before patches reach downstream users. Backed by a diverse coalition—including AWS, Google, Microsoft/GitHub, Red Hat, NVIDIA, and OpenAI—Akrites establishes a shared Security Incident Response Team (SIRT) to streamline the validation, remediation, and disclosure of vulnerabilities in the foundational code that underpins the modern digital economy. . AI Is Changing Software Supply Chain Security One detail in the Linux Foundation announcement stands out more than the launch itself. The organization isn't suggesting that open source projects suddenly need more vulnerability reports. They already receive plenty. The problem is volume. AI-assisted analysis has made it possible to review large codebases much faster than before. Researchers can identify suspicious patterns, compare projects, and generate vulnerability reports in a fraction of the time that manual analysis once required. That is good news for open-source security, but it has also exposed a weakness in the current response model. Every report still has to be reviewed by a person. Someone has to reproduce the issue, determine whether it affects supported releases, understand its severity, decide whether a CVE is appropriate, develop a patch, and move that fix through coordinated vulnerability disclosure before technical details become public. None of those tasks has become significantly easier simply because AI can produce findings more quickly. According to Endor Labs, one of Akrites' founding members, fewer than 5% of recently validated open source vulnerabilities have been patched . Whether that percentage changes over time, it illustrates the same trend. Discovery is accelerating faster than remediation. Why Existing Open Source Security Processes Are Under Pressure The reality for many maintainers looks verydifferent from how people imagine open-source security working. A widely used library isn't necessarily maintained by a large engineering team. In many cases, it's a handful of contributors or even a single developer balancing maintenance with a full-time job. Now imagine that the project suddenly receives dozens of reports describing the same underlying issue. One submission comes from a commercial scanner. Another is generated by an AI coding assistant. A third arrives through a bug bounty program. None are identical, but all require investigation. The difficult part isn't opening the email. It's figuring out whether the report is accurate, whether the vulnerability can actually be reproduced, whether downstream users are affected, and how the issue should move through vulnerability disclosure without exposing organizations before a fix is available. Akrites is intended to reduce that burden by acting as a shared Security Incident Response Team. Instead of every organization independently contacting maintainers, the initiative provides a coordinated process for validating reports, removing duplicates, and helping projects prepare fixes before disclosure begins. Recent Incidents Showed Why Coordination Matters Recent security incidents have demonstrated that identifying a vulnerability is often only the beginning. Log4Shell became a global response effort almost overnight. The challenge wasn't limited to understanding the vulnerability itself. Linux distributions, software vendors, cloud providers, security teams, and enterprise administrators all had to coordinate patches, advisories, testing, and deployment under intense time pressure. The XZ Utils backdoor exposed a different weakness. It showed how much critical infrastructure still depends on software maintained by very small teams. When one upstream project experiences a security problem, the consequences spread through Linux distributions, enterprise products, containers, cloud platforms, and countless applications built ontop of that code. Akrites would not have prevented either incident. The Linux Foundation isn't making that claim. Instead, the initiative attempts to strengthen the coordination that happens after a vulnerability is discovered and before it reaches the wider ecosystem. What Akrites Means for Open-Source Security Akrites represents a clear realization: open source security can no longer rely solely on the efforts of individual maintainers. Every critical project eventually hits the same wall: the software becomes indispensable long before the maintenance team has the resources to manage it. One interesting aspect of this initiative isn't just the technology—it's the list of founding members. Organizations like Citi, JPMorgan Chase, Ericsson, and Cisco rarely launch joint initiatives unless they share a massive, systemic problem. In this case, they do. Modern infrastructure shares an enormous amount of upstream code, which means one overwhelmed maintainer is now a systemic risk for banks, power grids, and cloud providers alike. What This Means for Linux Administrators Linux administrators rarely work directly with upstream maintainers, yet they depend on them every day. Enterprise distributions such as Red Hat Enterprise Linux, Ubuntu, Debian, SUSE, AlmaLinux, and Rocky Linux package software only after upstream projects have investigated reports, developed patches, and coordinated disclosure. Improvements at the upstream level can ripple through the entire software supply chain, ultimately affecting how quickly organizations receive trusted updates. : Faster upstream patch coordination: Verified fixes land in your distribution’s repositories sooner because the "middle work" of validation and deduplication is handled upstream. More consistent security advisories: Standardized reports make it easier to track and prioritize updates across your fleet. Better support for widely used components: Akrites says it can serve as a "maintainer of last resort" for certain criticalprojects by helping coordinate remediation when active maintenance is no longer sufficient. How Akrites Coordinates Vulnerability Response The initiative formalizes the vulnerability disclosure lifecycle to ensure confidentiality and speed. Instead of maintainers fielding reports from hundreds of sources, they have one predictable partner. Discovery: A researcher or AI surfaces a potential flaw. Confidential Submission: The report is sent to the Akrites SIRT, not a public bug tracker. Validation & Deduplication: The SIRT verifies the issue and removes duplicates. Remediation: Maintainers and industry engineers collaborate on a fix in a secure environment. Upstream Merge: The fix is merged into the original project's repository. Synchronized Disclosure: A coordinated CVE is published to alert the ecosystem. Akrites Won't Replace Vulnerability Management It is vital to note that Akrites is an upstream coordination body, not an enterprise security product. Organizations still need robust internal programs, including vulnerability management processes, asset inventories, and monitoring tools to detect threats within their specific environments. Akrites improves the upstream coordination of security, but the responsibility for securing the downstream enterprise environment remains with the organization. Akrites complements existing vulnerability management programs rather than replacing them. Organizations will still need scanners, patch management workflows, asset inventories, and software bills of materials (SBOMs) to identify affected systems and deploy updates. Akrites focuses on the upstream coordination that happens before those updates reach enterprise environments. Conclusion For years, the industry invested heavily in tools designed to identify software vulnerabilities faster. Akrites reflects a strategic recognition that discovery is no longer the limiting factor. As AI continues to accelerate vulnerability research, the challenge hasbecome how quickly maintainers can validate reports, coordinate fixes, and deliver patches before attackers exploit them. Whether Akrites succeeds will ultimately be measured not by the number of vulnerabilities it processes, but by whether it successfully shortens the time between discovery and remediation across the open source ecosystem. By professionalizing the "messy middle" of the response process, Akrites is attempting to build the operational infrastructure needed to keep our most critical software secure in an age of AI-accelerated threats. Want more Linux security news, open source security analysis, and software supply chain insights? Subscribe to the LinuxSecurity Newsletter for the latest vulnerability disclosures, security advisories, threat analysis, and expert coverage of the technologies shaping the Linux ecosystem. Related Reading Why Linux Supply Chain Attacks Are Becoming a Nightmare for DevOps Teams Targeted Attacks on Open Source Maintainers Highlight Security Risks . The Linux Foundation's Akrites aims to improve the response and management of open source vulnerabilities through collaborative efforts.. Linux Foundation, Akrites, Open Source Security, Vulnerability Coordination, Software Supply Chain. . MaK Ulac
As the open-source model continues to prove its sustainability in the enterprise, the software community is ramping up its security-mindedness. That concern was evident in recent weeks as leading Linux groups led the way for better code security. . Google announced a new initiative to zero in on software vulnerabilities. Already a generous provider of patching incentives, the software developer upped the ante to encourage more researchers to submit troublesome codes for cash. Edgeless Systems made a striking open-source contribution, JFrog offered advancements in support a more polished Rust Foundation, and Facebook, too, pushed the limits for Meta AI. . Microsoft launched a fresh program aimed at improving cyber risk assessment and raising developer security education.. Open Source Models, Code Security Initiatives, Software Vulnerability Management. . Brittany Day
The Open Source Security Foundation (OpenSSF) on Tuesday announced that 19 more organizations have joined the initiative, showing commitment towards identifying and addressing vulnerabilities in open source software. OpenSSF now has a total of 60 members. . Hosted by the Linux Foundation, OpenSSF is a cross-industry forum meant to bring together open source security initiatives and help not only address the security of open source, but also develop best practices, research, tooling, training, and vulnerability disclosure practices. Six of the 19 organizations that just joined OpenSSF are Premier Members, namely 1Password, Coinbase, Citi, JFrog, Huawei Technologies, and Wipro. The link for this article located at SecurityWeek is no longer available. . The Open Source Security Foundation (OpenSSF) consists of 60 dedicated members focused on improving security protocols for open-source projects via collaborative initiatives.. OpenSSF, Open Source Security, Vulnerability Disclosure, Security Standards, Software Initiatives. . LinuxSecurity.com Team
Google is now paying developers more money to work on securing their Linux kernels - a gesture that may well be the start of the company’s bid to enforce a tighter grip on Open Source. . Google’s action comes on the heels of rising threats to Linux that unfolded in the last year, as hackers pivot to new strategies like writing malware strains in the Go programming language. The spread rate of malware is staggering. Infected code incidents made a 500 percent spike in the last year. That represents a 2,000 percent increase since 2017, according to Google. . Tech giants are encouraging programmers to bolster Windows security as cyberattack risks escalate, highlighting robust system defenses.. Linux Kernel Security, Open Source Initiative, Malware Trends, Google Funding. . LinuxSecurity.com Team
OpenSSF was launched in August of 2020 as “a cross-industry collaboration that brings together leaders to improve the security of open source software (OSS)”. This article provides an overview of OpenSSF's mission, what it’s accomplished in its first six months and its plans for the future. . The Open Source Software Foundation (OpenSSF) officially launched on August 3, 2020 . In this article, we’ll look at why the OpenSSF was formed, what it’s accomplished in its first six months, and its plans for the future. The world depends on open source software (OSS), so OSS security is vital. Various efforts have been created to help improve OSS security. These efforts include the Core Infrastructure Initiative (CII) in the Linux Foundation, the Open Source Security Coalition (OSSC) founded by the GitHub Security Lab, and the Joint Open Source Software Initiative (JOSSI) founded by Google and others. It became apparent that progress would be easier if these efforts merged into a single effort. The OpenSSF was created in 2020 as a merging of these three groups into “a cross-industry collaboration that brings together leaders to improve the security of open source software (OSS).” . The Collaborative Development Initiative (CDI) was formally established on September 15, 2021. This write-up outlines its objectives.. OpenSSF, Open Source Security Foundation, OSS Collaboration, Software Security Initiative. . Brittany Day
The Linux Foundation's Open Source Security Foundation (OpenSSF) looks to jointly mitigate risks inherent to the open-source style of development, and the foundation just announced that a total of 16 new contributors have joined OpenSSF including Canonical, Facebook, Samsung, Huawei Technologies, and more. . Security has always been of utmost importance to the entire open source ecosystem. Eric S. Raymond, one of the luminaries of the open source movement, in his famous essay, Cathedral and the Bazaar, wrote “given enough eyeballs, all bugs are shallow.” While still true, the complexity of software, and the increasing number of collaborators, puts an increasing onus on the eyeballs hunting for vulnerabilities. In addition to well-defined security policies at a project level, virtually all of the top organisations that contribute to open source software have security initiatives of their own. . Protection is crucial within the open-source community, with emerging programs bolstering efforts to address weaknesses.. Open Source Security, Software Risk Management, Vulnerability Mitigation. . Brittany Day
IBM developers and others continue exploring the potential for address space isolation in the Linux kernel to reduce the risk of leaking sensitive data in attacks like L1 Terminal Fault (L1TF), MDS, and other vulnerabilities. Though this does increase the complexity of the kernel code and the performance hit is still to be evaluated. Learn more in an interesting Phoronix article: . Mike Rapoport and James Bottomley presented at this week's Open-Source Summit Europe in France on Address Space Isolation within the kernel compared to the current structure of the kernel using a single address space. The still in-progress A.S.I. patches could allow for certain kernel contexts like the Kernel-based Virtual Machine (KVM) to have a separate address space to reduce the exposure of sensitive data. Kernel Address Space Isolation was proposed earlier this year but its impact is still to be fully evaluated in terms of the impact on code complexity and overall security benefits as well as performance. As such, this functionality isn't coming to a near-term kernel release but those wanting to find out more can do so via this PDF slide deck from the presentation. The link for this article located at Phoronix is no longer available. . Mike Rapoport and James Bottomley presented at this week's Open-Source Summit Europe in France on Ad. developers, others, continue, exploring, potential, address, space, isolation, linux. . Brittany Day
With large corporations' contributions to open-source projects and adoption of open-source programs, your personal data could be kept more securely by big firms. . Microsoft is continuing its broad ongoing push to contribute with open source projects, joining the newly created Confidential Computing Consortium, an initiative launched by The Linux Foundation which aims to provide better security for data which is actually in use by apps on a computer, or in the cloud (as opposed to at rest, or not being used). Microsoft is far from alone in this endeavor, and is joined by Intel in the consortium, along with ARM, Baidu, Google Cloud, IBM, Red Hat and other tech giants. The link for this article located at Tech Radar is no longer available. . Google's dedication propels collaborative Android security initiatives with major industry players to enhance user privacy.. Open Source Initiatives,Linux Contributions,Corporate Data Security. . LinuxSecurity.com Team
Get the latest Linux and open source security news straight to your inbox.