Linux Foundation Launches Akrites To Coordinate AI-Driven Open Source Security

Linux Foundation Launches Akrites To Coordinate AI-Driven Open Source Security

BrianFagioli writes: The Linux Foundation has announced Akrites, a new initiative to coordinate vulnerability disclosure and remediation for critical open source software as AI dramatically speeds up vulnerability discovery.

Founding members include AWS, Google, Microsoft, OpenAI, Red Hat, NVIDIA, IBM, Cisco, JPMorganChase, and others.

Akrites will provide a shared Security Incident Response Team (SIRT), a standardized coordinated vulnerability disclosure process, and act as a "maintainer of last resort" for abandoned but widely used packages. The goal is to reduce duplicate reports, avoid conflicting patches, and help upstream maintainers address vulnerabilities before they can be exploited.

As AI makes it easier to find security flaws, can a coordinated industry effort help protect open source, or does it risk giving large corporations too much influence over the ecosystem?

"Akrites is the largest coordinated effort in history to create systems and deploy tooling that leverages the collective power of the community to make everyone safer," the Linux Foundation said in an open letter. "Akrites participants will contribute engineering resources; work to build and ship fixes; or fund the engineers who do. Some companies have contributed mightily already. The reality is, collectively, we need to contribute more."

Read more of this story at Slashdot.

Community Discussion

I invented attribution (Score:2)

LLM driven security is a scam. It does not work and cannot work. LLMs are both far too limited and far too unreliable to be useful. They can create a massive sense of false security though. And while they need to be run on software (because attackers will do it), that does not make that software secure. Stop believing LLMs are magic. They are not.

Re: (Score:2)

You should subscribe to some security mailing lists. Even absent that it's hard to believe you have not noticed the massive increase in CVEs since everyone started using frontier models. Fortunately the vast majority of them are EOP and DOS and not RCEs, but one thing they are not is imaginary.

Re: (Score:2)

I do know about the increase in CVEs. But since I have some actual understanding of the matter, I can see it is NOT a good thing. LLMs massively advantage attackers, while helping defenders very little. And, quite frankly, some of these newly found vulnerabilities are just the result of shoddy coding and no tool use. For example, use-after-free is NOT something that only an LLM or manual review finds. It is not something that is even exploitable with reasonable coding practices. Even frigging plain GCC has a...

Re: (Score:2)

I did not comment on whether it is good or bad, only that the tools do actually provide some valid and useful results. The exploding list of CVEs is clear evidence of that.

LLMs massively advantage attackers, while helping defenders very little. No doubt about it, but that said any serious defenders not using the same tools are still handicapping themselves.

And, quite frankly, some of these newly found vulnerabilities are just the result of shoddy coding and no tool use. No argument here. The unfortunate reality is that there is an astounding amount of shoddy code out there, and that long predates AI. Not just the likes of Microsoft and Mozilla using AI to fix hundreds of bugs recently.

What I want to know (Score:2)

What I want to know is why the Linux Foundation is keeping quiet about these Age Verification Laws. Don't they support the users anymore? Without these users in the 90s and early 2000, there would be no LF paying high salaries so people can create documents using Microsoft Word on Windows.

Etymology (Score:2)