Thank you very much, but I remember what Google is doing with Android this September (closing third party installs using .apk).
So things do get fixed, but it is not due to their graciousness.
There isn't a call out for contributors. This is all done behind closed doors. It's the antithesis of free/open source software, presented as defending it.
I don't particularly have any better ideas. And I'm not particularly criticising. It's just a lot of the time the terms are synonymous, but here they starkly different.
> Amazon Web Services
We really don't give a shit, We will continue to not give a shit. We might give you a credit if threatened by the EU but really? We don't give a shit. Keep sending us that sweet dosh for AWS.
> Anthropic
We underpin the front page of the internet with Ai and in so we allow it to train upon the collective with no recognition. It's great to take and not give back. By the way your vibe coded app is looking ownage.
> Cisco
We are Cisco and we'll license you if we could. We invented the subscription model to charge you per Ethernet port on your router. Opensource is great, we don't even have to contribute upstream. We did once upon a time, isn't that enough?
> Citi
In partnership with Linux Foundation, we will do nothing and keep doing nothing. Linus enjoys his dosh and handjob now and then.
> CNCF
Working on the right fixes before the window closes, we prefer that to be left to the developers and we are very proud to support that effort. Unfortunately, no treats for the developers is written in to our company policy. How does pizza sound?
> RedHat
Open source is the foundation of modern software innovation so we hide answers behind a paywall. We sold ourselves to IBM so we could keep lubing that stripper pole to fill our filthy pockets. Larry Ellison will be here soon for his next lap-dance.
> Microsoft & GitHub
We decided to throw legal action at a security analyst for finding exploits in our OS for laughs. Open source all the way, we don't even allow you to search on GitHub without a rate limit; it's healthy to laugh. How's your mother doing? She seems a keen user of Windows 11 and as she is very important to us, we've removed that feature she uses most.
A lot of open source folks are going to be very skeptical, rightly so, of this group of players.
> ... to find, fix, and responsibly disclose vulnerabilities in critical open source software ...
How this is implemented is going to be key. Are they going to contribute through (a) existing channels, pull requests etc. or (b) are they going to fork the projects under the guise of 'security' or (c) offer bug bounties or (d) contribute financially?
Approach (a) brings the community along. (b) alienates the community, splits resources, and in the long term will likely cause many open-source projects to die. (c) has potential but timing and speed can be unfavorable for critical bugs, and doesn't mesh with 'responsible disclosure'. (d) can be ineffective for critical bugs unless paired with support for maintainers, which can be incredibly helpful for the opensource ecosystem.
I expect we’ve got a future of “undo forks” as I’ve called them which is rolling back to pre-insanity times and rethinking again. That’s only something people unencumbered by commercial requirements can do.
There goes all the credibility of this post
> participants will contribute engineering resources
If it works out as planned, we will see. Apart from this, I am not overwhelmed by the claim of this project. It favors centralization and corporate circles, exactly the opposite of what the hacker ethics promotes for good reasons.
Probably not as impressive to a non-Greek, but to a Greek person it creates very strong imagery.
Besides many of the companies on the list are suspext numero uno for the state of open source
Many of the names on the list makes the initiative rather suspect. Companies who do a lot to undermine free and open-source software, who hide critical software behind their walls, preventing both its scrutiny and its adaptation and improvement, and two of the LLM giants - they'll "defend open source"? I don't know about that.
> Akrites gives critical infrastructure stakeholders a confidential, structured place to coordinate vulnerability discovery, remediation, and disclosure across the open source projects they depend on
So, a bunch of large corporations - some of who are known to be in bed with the US government - will share vulnerabilities among themselves, out of the public eye? Fishy.
Ambitious and interesting. I wonder how long this will last and on whose dime and time? Akrites employs no engineers, so who will make the fixes and who'll pay them?
They terrorized them to abandon their free time. They terrorized them to find easy solutions in the workplace instead of coming up with solutions that require technical expertise and deep thinking. They terrorized people to not conform to standards, or create standards but instead patch around lack of standardization. They terrorized people to not question, but accept. To become slaves. They did not help them get wide knowledge but be specific on the work, like mass produced meat. They swept all problems under the carpet and said "This time it will be different". No victories, just silence on the defeats.
It has been happening in the past, has accelerated and made worse as they seized more power.
The leap to AI era is the latest and more violent step of this attack on fundamental human rights.
The problem is political in my opinion. People ought to demand a better life and more free time to work on open source or do their hobbies. They ought to demand human centric laws that stop the greed and by enforcing the laws at last.
Free time is not for consumption, but for production of higher intellectual artefacts.
My entire technology stack was built on Microsoft's ecosystem, not on open source. This was Microsoft's attempt to expand their base for the corporate hiring market and OS market share.
Conversely, open source was a huge barrier for me. When I have a product I've built, I have to get past open source, but accessing open source comes with the barrier of English. And once you get past the English barrier, you hit the cultural barrier.
My hobby projects do integrate with open source, but all the technology that actually makes me money depends entirely on the Microsoft ecosystem. Most of the Asian developers around me are also tied to specific vendors. On the other hand, the Korean companies that do have a culture of contributing to open source are large corporations, and entry is determined by academic pedigree.
Because the entire context of open source is in English, and learning English reliably is expensive in itself. So to properly work as a developer in Korea, you actually need to be vendor dependent. The corporate ecosystem is not oppression; it is the only viable path to education and survival. If you want to grasp the latest trends, you ultimately need curation from a specific company. Some people say Hangul is a great writing system, but to me, this is where it becomes a curse and a shackle.
So when I read Hacker News, I feel just how large the gap in thinking is between the West and the East. The Japanese developers I have talked to mostly talk about coding within corporate environments rather than open source, and Chinese developers are also shaped by their corporate environments. But the posts on HN talk about their 'gardens' being ruined and absorbed by corporations, and they resist that. But since I was raised in a corporate environment from the start, I cannot imagine a different one, so this resistance tends to feel like an aristocratic hobby to me.
On the flip side, HN might see corporations as predators. Technology should be a commons, and developers should be free, not tenant farmers of a platform.
But the irony I personally feel is that to protect this 'garden commons,' they end up creating centralized, non-public coordination mechanisms with the very corporations that plunder the commons. That feels contradictory to me.
For security vulnerability response, non-public coordination may be necessary. If a vulnerability is disclosed before a patch is ready, attackers can create exploits. But the principle of open source is transparency and open discussion, while the Akrites-style security principle is non-public coordination and a single point of contact.
On top of that, corporations used open source as free infrastructure, and now that the risk has grown, they are building corporate-led governance systems based on that risk. That feels ambiguous to me. Of course, open source sponsorship has always had some tension, but if that was buying a craftsman's work, this looks more like buying the craftsman's workshop.
I wonder how Westerners would read this. I am curious. To me, this looks like a political struggle to take control of governance over the commons. Do Westerners see it as the Avengers? The difference in mindset is sometimes painful.
I have found (c) to be high noise, low signal. We're winding down our HackerOne program.
D: we do this in a couple ways. For PQCA, for instance, we use credits from AWS to get access to hardware to run proofs and CI on. PQCA also has a paid mentorship program.
For OWF, we do the same with AWS credits, as well as provide hosting for projects to run services on for testing.
For LFDT, we offer paid mentorships, have paid for Trail of Bits to do reviews, and run events. We had a maintainer summit in New York in January so our maintainers could meet for two days face-to-face. We fund large GitHub CI runners for projects as well.
I know it doesn't answer everything, but our team is only a few people and we really do work hard to help developers. What I'll call the devrel team for OWF/PQCA/LFDT is three FTE, one contractor, and our manager.
LFDT: https://www.lfdecentralizedtrust.org/
OWF: https://openwallet.foundation/
PQCA: https://pqca.org/
PQCA benchmarks, for instance: https://pq-code-package.github.io/mldsa-native/dev/bench/
This is, of course, ridiculous, and Dr. Ambergris is just an amalagam of Muammar al-Gaddafi and some 2nd rate wannabe strongmen not worth mentioning that I made up for fun.
I read this they would build the patches privately (or with maintainers if confidential) and then share amongst their supporters before public release.
That's a feature to them, not a bug. They want the software and don't want the community.
What worked is to remove the bounty and simply allow people to report bugs responsibly. This attracts the kind of altruistic volunteers who want more secure software for ideological rather than financial reasons. They still use AI but you won’t see slop.
I always advice aspiring open source enthusiasts to stay far, far away from the Linux Foundation. It has become a barrier to software freedom these days, rather than an enabler.
What would you propose otherwise?
> Besides many of the companies on the list are suspext numero uno for the state of open source
On this I agree. This seems indeed just promo advertising to white-wash these companies. They don't really care about ethics in open source.
All they're really missing is Oracle and Bambu Lab.
It might not be the idealistic flavour of open source you prefer, but it's the flavour of open source that's actively in use in most tech companies, and that also forms the makeup of most corporate open source participation (e.g. also the top corporate Linux contributors).
Just another opaque and exclusive subproject of the Linux Foundation.
Since a lot of places are close in proximity, companies sometimes run private fiber lines and such to let peers download updates without competing with the entire world lol.
Everyone's fighting the same fight. Sharing and collaborating are normal things.
I think they are predicting that free-software projects are in freefall and no longer attract good people.
I recall reading a Linus Torvalds interview in which he said that Git's killer feature was its current maintainer.
It sounds like a realization that you can only leech off the host so much, and once your host is dead, there is nobody else to leech from.
If it's sent to Akrites, they can even pretend it's done responsibly – even though only megacorps get a seat around that table.
A charitable foundation might be plausible to help companies secure their closed for-profit software but it doesn’t really have the same urgency for the fabric of the internet (or the same moral clarity)
Meanwhile the Germans were working overnight to manufacture bombs. That, alone, is already a sufficient explanation on why we got invaded and lost our country to one of the evilest powers of Earth. France had to be rescued by the Russian, the English and the Americans after losing millions of inhabitants. Because we literally took too much holidays.
The one who works the most reaps the entire benefits. And it’s clearly not good to ask for less work all the time. Today France is peanuts on the international market, we are second at everything. Who heard of DailyMotion, which was once as big as Youtube, or Mistral, which was supposed to be our OpenAI?
You say this as if these players aren't members of "the open source folks". It's not an exclusive club.
People talk about contributing financially, but how and to what end? Most projects aren't set up to accept or utilise donations. That said, I would say we should be providing all OSS projects with significant access to AI in order to review their codebases and PRs and hopefully relieve some of the maintenance burden. I know there are some initiatives in this area already.
It may also turn into another source of pressure. Maybe they manage to sort out the real vulns, but then they come in as high priority to the maintainers.
Many maintainers are already exhausted from their normal work, sans AI noise. Even if they supply fixes, it still requires review.
In best case they could reduce noise but the work is still there. The industry needs to generally fund OS projects to give them the agency to handle it on their own. That's is likely best for quality. If there is still need to filter AI noise then they can add that, but not as a secret opaque thing that controls it all.
[1] https://en.wikipedia.org/wiki/Mark_Carney%27s_Davos_speech
> We are joined by Amazon Web Services…
Does that include anything more than soundbites? This effort is likely to require organizational support, and funding.
It’s not clear to me, that the organizations supplying the quotes, are “undersigned.” Not all of the quotes make it clear that the organization is doing anything more than asking an LLM to generate some text.
Everyone who took part in the layoff spree to boost valuation should be shut down like Enron.
This is pure corporate slop feels good bullshit generated by an LLM. “critical” comes from “kritikós” which means “related to judgement”. “Akritai” comes from “akron/ἄκρον” which means border.
To be fair the article doesn’t sit well with me on its own, but making crappy, etymologically-untrue claim? Not on my watch.
Open source movement has been a massive success in devaluing skilled workers to except peanuts while American corporations suck up as much value as possible while giving less than half a percent in return.
There needs to be a backlash against this corporate white washing.
https://en.wikipedia.org/wiki/Embrace,_extend,_and_extinguis...
Closed software still has many people with access to the code. Governments or researchers have been given access to lots of critical source code. It can also be leaked. I wonder whether attackers are going to be more willing to bribe people with access to source now they have better odds of finding vulnerabilities with limited effort.
Yet still important to be secured due to the impact vulnerabilities can have. And LLMs can work without source code access via utilizing things like debug symbols, disassembly, reverse engineering, etc.
>paid maintainers
Just like open source maintainers their time is already being spent on other things which they see as more important over making the project 100% security bug free. Just because they are being paid, that doesn't make security their number 1 priority.
The language barrier is interesting, there is more Chinese open source now too, but yes so much is English. I remember using google translate for Nginx from Russian back in the day, and openresty from Chinese, but yes we are lucky,
If you ask american/european/english-speaking developers about coding, it will mostly be about/in the context of corporate environments rather than open source too! The majority do not actively or primarily contribute to open source projects, but instead corporate environments as well.
In an alternative timeline where the lingua franca isn't english, I can still see open source culture exist; I don't think the desire to publish and cooperate in public is an inherently "western" culture. It will also run into the same conflict of interest between Open-Source and Corporate: one prefers transparency and full-disclosure, the other prefers control in the interest of minimizing risk.
The corporations themselves are not a monolith. Their leadership and engineering teams are made up of diverse perspectives on open source, and those perspectives can shift. These same questions are debated within the company and the balance is always shifting in a way that can either benefit or undermine open source. I'm personally skeptical for some of the reasons you described, but I wouldn't rule out the possibility of a better relationship to open source.
If the language barrier disappeared overnight, would the situation still be the same, do you think? What would an Eastern open source movement look like, and why hasn't one developed?
In fact, it doesn't even seem difficult to simultaneously acknowledge and commend the valuable role they play, while also expressing concern over the influence they wield and how it might contrast with desires and goals of the wider community.
Linux Foundation is run by the said called corporates from the list. So is Rust Foundation. Linux in itself is safe cos Linus controls it. Not the rest of the projects LF controls.
Keep in mind I am not a coder/engineer, I’m just kind of a tourist in that world, so if I can do it it’s clearly very achievable for many people.
No reason to throw up your hands in defeat. We don’t need everyone to shift over everything. We just need to make sure there’s always space and demand for open source software to keep it alive.
> exactly the opposite of what the hacker ethics promotes for good reasons.
Yup. Seems kind of like those zombie plants in the movie "Invasion of the Body Snatchers" (the first remake; though the original is also great, but it was more about communism as threat, whereas the first remake added a bit of alien horror motifes).
> The akritai (singular akrites) is a term used in the Byzantine Empire in the 9th–11th centuries to denote the frontier soldiers guarding the Empire's eastern border, facing the Muslim states of the Middle East. (Wikipedia)
Akron means edge or border, so "frontiersman" or "those of the border".
EDIT: Commenters seem upset about the Muslim part, I didn’t mean to imply anything, you cannot just copy-paste contemporary disputes and prejudices a thousand years ago. In the historical context it’s just like most borders between different civilizations. The point is that they were a collective organization getting together to defend their land.
With my OpenBSD developer hat on, getting new hardware in the hands of developers is really important, many of us are hacking on 5-10 year old thinkpads that need replacing.
https://www.openbsd.org/want.html
The OpenBSD foundation is ~50% away from its fundraising goal for 2026!
"Microsoft will contribute expertise, resources, and AI technologies to help responsibly identify and fix vulnerabilities"
As a reminder, Microsoft runs NPM and GitHub. Microsoft has access to the best AI models and massive data centers. Despite that, their own products are rapidly getting worse at security and their services are central hubs through which various exploits are propagated. They are not making things better, they are actively and rapidly making things worse.
--
For a great example of how Microsoft deals with security issues within their own Open-Source projects, I recommend reading this GitHub thread:
https://github.com/dotnet/efcore/issues/38257
EF core currently distributes a version of SQLite that has a severe vulnerability. The issue was discovered over a year ago. It was fixed by SQLite within one week. EF core didn't mark their driver as vulnerable until a user recently reported it, got bounced around and argued with developers. The current stable version of .NET core will only get a fix in roughly two months.
I dont know if this is a good thing or not. On paper it seems fine but there is something that feels wrong about it and I dont know exactly what.
“Maintainers of last resort”, my [back].
Yeah, nah, I'm good. That's not "open-source."
Or maybe it is, but it's not "Free Software," the better thing.
It really makes me realize just how different cultures and values can be.
Sometimes I feel like I want to be as free as you all are, but I also recognize that my own biases are deeply ingrained. There's a line in Demian that goes, 'The bird fights its way out of the egg.' It makes me strongly feel just how narrow my world really is
For example, object-oriented programming or conditional statements generally follow a What -> Action -> Target order. But my native grammar follows a What -> Target -> Action order. So I have to translate SOV logic into SVO code syntax.
The reality is that English speakers are numerous, Japanese and Korean speakers are relatively few, and while Chinese speakers are quite numerous, there's still some cognitive load due to differences in thought patterns. It's almost like a difference in the sheer volume of accessible knowledge.
Due to the cumulative cost of translation, this feels like a bigger hurdle than people realize.
So sometimes language gives a sense of identity tied to 'ethnicity' and 'nation,' but when it comes to the competition for knowledge, I feel that the number of native speakers matters more. There are points where I agree with you, and points where I don't. It's complicated
But regarding Korea and China: in China, there's Gitee, which has a very robust open source environment, but it's not really 'Western style open source' it's more like corporate projects being made publicly available for free. In other words, companies release assignments and people gather to work on them. That's the dominant model. (And that becomes part of their employment portfolio. So it feels very much like an incubation system for corporate projects.)
For Korea, I think it's largely because the absolute number of Korean speakers is smaller than English speakers. As a result, Korea's tech infrastructure generally lags behind the English speaking world. It feels like: English trends emerge -> a few years later, once they stabilize, Korea starts adopting them!
The usual pattern here is that the people curating these English trends for Korea are Koreans who have worked at FAANG-like companies and come back, so they have a strong influence. But I don't necessarily agree with their perspectives, which is why I came here to see what the raw data from the West actually looks like.
On top of that, Korea's IT projects are mostly government-led (because the domestic market isn't that large), so the government essentially acts as a VC. And within this government-led incubation system, only the final winner takes everything. Given that kind of environment, I wonder if that's why open source doesn't really take off.
I won't pretend to speak to specific numbers, but a huge amount of work and maintenance is from these programmers, or funded via the corporate actors which employ these programmers. Those actors are either on this list, or don't have a problem with this list.
What remains are the handful of truly independent contributors, which are a minority in terms of LoC (though they often have an outsized impact), and the peanut gallery.
Open source wasn't always this way, it would be a different discussion 30 years ago when independents were the only guys in town, but it is now.
Instead, millions of developers now gift corporations their work by releasing everything under MIT or Apache, and those corporations take from that treasure trove what they want and give back what they want, which is very often nothing.
I barely have to do it, but imho, this is how software should work and what running a computer should feel like.
> Keep in mind I am not a coder/engineer
How do you control and audit something you don’t understand? What specific steps are you taking?
Putting my nostalgia-tinted glasses on, it's sad how far we've strayed from that.
It seems weird to blame Google here, given that they didn’t manufacture the bugs: the bugs were already there, and they just found them. This is arguably the best thing for all parties: open source maintainers are still under no obligation to fix things, but downstreams can properly inform themselves about the risks they inherit by using any given project.
The alternative is a “don’t ask, don’t tell” system, which people generally agree doesn’t work well in other aspects of life.
It may be an industry body, but it runs multiple community conferences and projects which support Open Source. A notable example in this case being the OpenSSF https://openssf.org/
The LF is not perfect, but I would expect them to come from an OSS and community angle on this.
You can complain about supply chain problems, or you can actually try to work on it. They're trying to work on it.
But in the examples cited (and really any other large closed piece of code of any significance in this era) it also has owners with money, and they should be compelled to fix their own stuff.
Or open the source code to be fixed, I guess ;-)
Still not addressed the moral clarity point being brought up, nor the ramifications of the Linux Foundation choosing which closed source projects to focus on and alienating their mission statement.
Again, your idea is noble but why should the Linux Foundation be saddled with it when those other options exist? OSS needs their focus as their mission outlines.
Well perhaps the companies who employ them to make that software they sell for profit should let them do that first rather than tokenmaxxing, and the great big non-profit effort can get round to them to help a little bit later after it has helped secure all the open-source stuff the internet actually runs on.
Gnome and Systemd is a fine example of how fucked up this can get.
I prefer easy.
If you prefer difficult, more power to you.
if true, then choosing this name was a very bad decision.
Imagine how Muslims would feel, demonizing them even more, before they were terrorists, now they are attacking open source and hence some organizations need akrites to defend from them.
I really wish such organizations which try to demonize anyone, to fail miserably
Wouldn’t you say that’s way better than the status quo with windows/macOS?
There's bureaucracy of course but the mission is clear. Highly recommend working with them in any capacity.
An open letter regarding the launch of Akrites – a coordinated effort to remediate vulnerabilities in the open source software the world runs on
For decades, open source has been one of the great achievements of technology – software we built together and came to depend on completely. Today, this code underpins the world’s critical infrastructure and services that people depend on every day: banking, telecommunications, utilities and more run on the same open source libraries. Over the years, the industry incorporated open source throughout tech stacks.
The world has now changed around it. Artificial intelligence has collapsed the previous equilibrium between attackers and defenders, changing the equation of ease and reuse of software. Finding a serious vulnerability in a major open source project used to take an expert weeks. This now takes a machine minutes, and often the AI model returns multiple vulnerabilities in a single pass. The same AI capability that can help harden our software will, in the wrong hands, turn vulnerability discovery into a pipeline. In turn, this has already accelerated the cycle to a pace that is rapidly outstripping maintainers’ capacity to patch vulnerabilities. This is not a theoretical future risk. It is the present condition of every system we are responsible for.
Today, we are announcing a plan for addressing this issue in critical open source software – Akrites is the largest coordinated effort in history to create systems and deploy tooling that leverages the collective power of the community to make everyone safer. We are joined by Amazon Web Services, Anthropic, Chainguard, Cisco, Citi, Endor Labs, Ericsson, Google, IBM, JPMorganChase, Microsoft and GitHub, NVIDIA, OpenAI, RapidFort, Red Hat, Rust Foundation, Sonatype, Vodafone, and Zscaler to find, fix, and responsibly disclose vulnerabilities in critical open source software and support the security of the critical infrastructure that depends upon it.
A large and growing percentage of the world’s technology and open source software we depend on is built from the same components, carries the same latent defects, and is now exposed to the same accelerated discovery. No vendor’s walls are high enough to make this someone else’s problem.
Previously, security response and disclosure involved a patchwork of organizations and teams, often working on the same problems and sometimes shipping conflicting patches or multiple reports. In this new environment, acting without coordination will worsen the problem and waste precious time.
When dozens of companies independently scan the same library and each file a report, we bury the maintainers under noise. Every additional party that holds an unpatched vulnerability raises the odds it will leak before there is a fix, increasing the risk to all of us. So we are stating plainly: We all depend on open source, and we will all defend it together.
Akrites is our commitment to act differently and to act upstream, where maintainers live and where we can proactively respond to this new reality. This approach provides one confidential, trusted place to coordinate discovery, remediation, and disclosure, matching or surpassing the speed of AI-assisted attackers. A shared, dedicated Security Incident Response Team gives maintainers a single, predictable partner instead of a hundred uncoordinated reports.
As Akrites works upstream to fix projects at the source, we commit to support downstream efforts to secure critical infrastructure before it can be exploited. When patches are released to the public, adversaries are able to utilize AI to rapidly reverse engineer the underlying vulnerabilities, develop exploits, and launch attacks. The success of our efforts therefore will be measured in patch deployment, not publication. We will partner with critical infrastructure owners and operators, civil society efforts, and governments as they increase coordination to achieve these goals.
Confidentiality is non-negotiable: An undisclosed flaw in a widely deployed package is, in effect, a weapon, and the program is built first to prevent leaks. Fixes flow back into each project’s own home, working with the maintainers. The engineering resources and other capabilities provided by Akrites participants contribute to this effort. Additionally, when a critical package has no one maintaining it, Akrites will stand as the maintainer of last resort so a fix can still reach everyone in a timely fashion. We will also align with government efforts so that public and private defenders move together, rather than in a disjointed fashion.
Akrites participants will contribute engineering resources; work to build and ship fixes; or fund the engineers who do. Some companies have contributed mightily already. The reality is, collectively, we need to contribute more.
Today, the undersigned commit real resources — engineering talent, security expertise, and funding — to harden the software we share. We have benefited from the incredible work of maintainers over the decades. As part of our responsibility and our commitment to open source we will meet this moment together, as partners, and make all of us safer.
The window is open now to get ahead of the new open source security risk reality, but it will not stay open. Together, we can take on the new risks while leaving behind a legacy of support and commitment to open source that secures the world’s technology systems for years to come.
Patch the commons together.
– The undersigned, June 25, 2026
**Amazon Web Services
**“Frontier AI models have given defenders the ability to find and fix vulnerabilities in open source software at a speed and scale that were never possible before. That’s an enormous opportunity for defenders, and Akrites ensures we seize it together. Maintainers deserve a coordinated partnership, not a flood of reports. AWS is committed to securing the projects our customers depend on and building this shared infrastructure alongside the community.”
– Matt Wilson, Vice President and Distinguished Engineer, Amazon Web Services
**Anthropic
**“Open source projects collectively underpin much of the internet, and the existing model for coordinated disclosure has been outpaced by how quickly AI can now find vulnerabilities. Getting ahead of that requires the industry to coordinate on findings and get fixes upstream before they’re disclosed and exploited. Efforts like Akrites drive this level of coordination at the scale and speed this moment requires.”
– Jason Clinton, Deputy Chief Information Security Officer, Anthropic
**Chainguard
**“The software supply chain is only as strong as the upstream it draws from, and we see how thin that layer really is. As AI finds more vulnerabilities, the industry will rush to patch them. Without coordination, those fixes will fragment across different patches and forks, and maintainers who are already overwhelmed, unreachable, or haven’t touched a project in years. Akrites gives the industry one coordinated way to fix vulnerabilities upstream before they’re exploited, with maintainers still in control. Now the work is making sure there’s always someone on the other end to catch them.”
– Dan Lorenc, CEO and Co-founder, Chainguard
**Cisco
**“Finding a serious open source vulnerability used to take an expert weeks. It now takes a machine minutes. When maintainers lose that race, so does everyone else. No single company, no single maintainer, and no single government can close that gap alone. That is why Cisco is bringing its networking infrastructure, security expertise, and decades of open source contribution to Akrites – because defenders cannot afford to lose, and maintainers cannot be left to run this alone.”
– Vijoy Pandey, SVP and GM, Outshift by Cisco
Citi
“Advances in AI models have significantly reduced the effort required to discover and exploit vulnerabilities. In partnership with the Linux Foundation and Project Akrites, Citi is committed to supporting the open-source ecosystem by helping to build a framework that identifies and remediates vulnerabilities and shares proposed patches. Focused on securing critical infrastructure, this initiative is a key part of our efforts to help the industry mitigate emerging threats.”
– Al Tarasiuk, Chief Information Security Officer, Citi
**CNCF
**” Open source cloud native infrastructure is the operational backbone of modern production software. When a vulnerability exists in a component that runs across thousands of Kubernetes clusters and cloud native deployments, the blast radius is enormous. Akrites addresses the coordination problem that has always made large-scale remediation so difficult: getting the right people, with the right context, working on the right fixes before the window closes. CNCF and OpenInfra are proud to support an effort that treats the open source ecosystem as the shared critical infrastructure it is.”
– Jonathan Bryce, Executive Director, Cloud Native Computing Foundation (CNCF)
**Endor Labs
**“For years we have believed finding vulnerabilities was never the hard part. Fixing them was. AI has made that gap impossible to ignore. Of the thousands of validated open source vulnerabilities surfaced in recent months, fewer than 5% have been patched. Endor Labs is a founding member of Akrites because it is built for the response this moment needs: coordinated remediation upstream, handled confidentially, with maintainers in control, so one trusted fix reaches everyone who depends on the code.”
– Varun Badhwar, CEO and Co-Founder, Endor Labs
**Ericsson
**Vulnerability discovery is now moving at a speed that overwhelms both the maintainers who sustain open source projects and the users who rely on them. Uncoordinated reporting, patching, and disclosure create friction, putting the entire ecosystem at risk. No single organization can solve this alone. That is why Ericsson is joining Akrites as a Premier member, contributing funding and talent to a shared effort to keep open source software secure and thriving.
– Per Beming, Chief Standardization Officer, Ericsson
**Google
**“As AI accelerates both the scale and speed of vulnerability discovery, defending the open source ecosystem requires an equally rapid, coordinated response. By joining Akrites, we are combining Google’s long-standing commitment to open source security with industry-wide expertise to ensure that vulnerabilities are found, fixed, and responsibly disclosed before they can be exploited. Safeguarding the software that powers the world’s critical infrastructure is essential to maintaining trust in our digital future.”
– Heather Adkins, VP Security Engineering, Google
**JPMorganChase
**“AI has massively compressed the time between vulnerability discovery and exploitation to near real time, which means we have to compress the time from fix to deployment. That’s why we at JPMorganChase are helping to build this effort to measure success in patch deployment, not patch publication. We support a mechanism that enables downstream operators of critical infrastructure so that fixes reach real systems before adversaries can turn disclosures into exploits. And upstream, we owe maintainers a single, reliable signal: confirmed vulnerabilities, well-tested proposed fixes, and a predictable partner they can trust, rather than a flood of duplicative, conflicting reports.”
– Pat Opet, Chief Information Security Officer, JPMorganChase
**IBM
**“Open source powers the systems we rely on every day—running everything from banks and hospitals to power grids and AI platforms,” said Jamie Thomas, IBM Enterprise Security Executive. “As frontier AI accelerates vulnerability discovery, the risk has grown too large for any one organization to address alone. That’s why an ecosystem approach is critical, bringing the community, technology providers, and enterprises together to ensure vulnerabilities are addressed collaboratively and at the new speed required today.”
– Jamie Thomas, IBM Enterprise Security Executive
**LF Energy
**“LF Energy supports the industry coming together to improve the security of the open source software our energy systems depend on. Our projects operate in critical infrastructure, from grid operations and substations to EV charging networks, so the integrity of that software supply chain matters enormously. We back a coordinated, upstream-friendly approach that works alongside maintainers and shares the investment in keeping critical open source components secure.”
– Alex Thornton, Executive Director, LF Energy
**Microsoft & GitHub
**“OpenSSF and Alpha-Omega demonstrated what is possible when industry comes together to strengthen open source security. Building on our experience co-founding these organizations, Akrites was created to address the emerging inflection point of AI-powered vulnerability discovery and defense. As a founding member, Microsoft will contribute expertise, resources, and AI technologies to help responsibly identify and fix vulnerabilities across the open source software ecosystem that customers and organizations depend on.”
– Mark Russinovich, Azure CTO, Deputy CISO and Technical Fellow
**
NVIDIA**
“Transparency and open collaboration are how the cybersecurity community has kept infrastructure safe for decades. In the age of AI, these open source foundations have never been more critical. Open source AI is the engine of American innovation — and one of our most powerful tools for deploying AI with the security, trust, and transparency needed to power this industrial revolution.”
– David Reber, Chief Security Officer, NVIDIA
**OpenInfra
**“AI-powered vulnerability discovery is rapidly increasing the workload facing open source security and vulnerability management teams. To put this in perspective, the OpenStack community issued 20 security advisories this quarter alone, compared with just two advisories during all of 2025. As the volume of reported issues continues to accelerate, the OpenInfra Foundation welcomes efforts that help critical open source infrastructure projects manage this growing influx of findings effectively upstream.”
– Thierry Carrez, GM, OpenInfra Foundation
**OpenJS
**“The OpenJS Foundation believes improving open source security is a shared responsibility. As organizations increasingly use automated tools to identify potential vulnerabilities, collaborative approaches that help validate findings, reduce noise, and support coordinated remediation are essential. We welcome efforts that strengthen the relationship between industry and maintainers while helping improve the security and resilience of the open source software ecosystem.”
– Robin Bender Ginn, Executive Director, OpenJS Foundation
OpenSSF
“The rapid pace of AI driven vulnerability discovery is a new reality that no single team can face alone. OpenSSF stands firmly in support of this mission because it prioritizes the health of the open source projects we share. This coordinated approach allows us to secure our community and build the resilience we need for the future.”
– Steve Fernandez, General Manager, OpenSSF
**PyTorch Foundation
**“Open source foundations exist to create the conditions for the industry to do hard work together that no single organization can do alone. Security is no different. AI has fundamentally changed the math on vulnerability discovery, and going it alone is no longer just inefficient; it’s dangerous. Efforts like Akrites pave the way for the widest possible participation and the largest possible impact.”
– Mark Collier, Executive Director, PyTorch Foundation
**RapidFort
**“Open source only works when we keep the work open, upstream, and available to everyone who depends on it. The answer to the AI-driven vulnerability crisis is not to fragment the ecosystem behind proprietary walls or turn community foundations into closed products. It must be coordinated remediation that preserves the integrity of original software, works with maintainers, and returns fixes to the commons. We are proud to support the Akrites initiative which aligns with our belief of strengthening the open source ecosystem from within, helping organizations reduce risk without unnecessary code changes, and making the software we all share safer for everyone.”
– Mehran Farimani, CEO, RapidFort
**Red Hat
**“Open source is the foundation of modern software innovation. Defending that foundation requires a coordinated, upstream community response capable of meeting threats at scale. Red Hat’s participation in Akrites focuses on strengthening this upstream ecosystem. By collaborating openly to identify and patch vulnerabilities at the source, we help build a more resilient software supply chain for the entire industry.”
– Chris Wright, Chief Technology Officer and Senior Vice President, Global Engineering, Red Hat
**Rust Foundation
**“For too long, the goodwill and sense of responsibility among upstream maintainers has been taken for granted in security response processes. Akrites promises meaningful coordination with upstream maintainers, financial, and full-time support to find, fix and disclose security vulnerabilities responsibly, and a genuine commitment from the most influential companies across tech and finance to solve this problem. The Rust Foundation looks forward to working with Akrites to develop security that is fit for the future.”
– Rebecca Rumbul, Executive Director & CEO, Rust Foundation
**Sonatype
**“Sonatype sees the dependency graph of the modern world every day. A single vulnerable component can sit underneath thousands of organizations, which means one upstream fix can reduce risk across an entire ecosystem. AI may make vulnerability discovery dramatically easier, but it does not make coordinated repair automatic. Akrites is important because it gives the industry a confidential way to do that work together, upstream, before the same flaw becomes thousands of separate incidents.
– Brian Fox, Co-founder and CTO, Sonatype, and Steward of Maven Central
**Vodafone
**“With the increasing ability of AI to fast-track vulnerability discovery, now is the right time to come together and invest resources to safeguard critical open-source software on which telecommunications and many other industries rely on. As a founding member, Vodafone has committed both expertise and funding to Akrites. This unified initiative will drive a co-ordinated, industry-wide approach to responsibly identify and fix vulnerabilities in the software that runs the systems upon which the world depends.”
– Paul Hopkins, Cyber & IT strategy and Architecture Director, Vodafone
**Zscaler
**“AI has changed the speed of both offense and defense. Vulnerabilities can now be found at machine speed, which means defenders have to move just as fast. Akrites helps turn that speed into an advantage for the open source ecosystem by finding issues earlier, coordinating remediation responsibly, and pushing fixes upstream. Zscaler is proud to be part of it.”
– Deepen Desai, EVP and Chief Security Officer, Zscaler
I always advice aspiring open source enthusiasts to stay far, far away from the Linux Foundation. It has become a barrier to software freedom these days, rather than an enabler.
Clearly you don’t feel that strongly about it. You know what would’ve been easier than making an account just to post that comment? Not doing that.
Have you also stopped working, paying your bills, showering, eating, interacting with other people? Not doing any of that is easier than doing it.
But still, the name is a bad, uninformed choice.
It's not Muslim related even at the time they exists.
I wish malicious interpretations like yours would fail miserably. The word for the soldiers is about them, not who they fought.
I mean I guess we have stop calling things the Great Wall because it repelled incursions from the Manchurians and maybe those people who live in their ancestral lands who were defeated and incorporated into modern Chinese society might feel a tinge of anger…
Many die on the hill of "developing something required for free with permissive licenses for recognition which will help with their future endeavors", which is the same with other creative lines of work. As a result they are milked of their knowledge and forced to bear the burden of leading the project and handling the community while companies just use what's developed while quietly but strongly nudging the project's direction for their benefit.
If the developer gets rogue, the thing is forked and sometimes closed down with no downside to the company, but the community and the developer(s) are hung to dry, conveniently signaling other developers about what they might face if they disobey their overlords with iron fists in velvet gloves as a secondary effect.
Occasionally, EA for example, a big corp will donate some money to. Apple has created PRS to add support for Vision Pro.
If Godot was GPL it would be useless for most commercial game devs.
But it was fun - and Electron became something totally different and useful. This is what tech innovation is all about.
Microsoft after acquiring them, instead of continuing these great projects with VSCode, instead paid for influencers to trash Electron (which worked for the most part, in 2026 most people think Electron sucks and can't say why - when WKWebView is way worse! Nobody cares).
So, MS builds VSCode - doesn't even fork Atom to do so. Looks identical to it. They built it from scratch. Bigger. Slower. Now with Copilot! I just went back to Atom (rather Pulsar, the last good fork).
I share this because it's exactly what Microsoft always does. They acquire based on opportunity and competitive space then rarely even use what they paid for. They get rid of all the good employees and the good code. They put a bunch of Indians in there who just hire other Indians and totally ruin the product.
But what gets me is EVERYONE uses their stuff still hahahah Guys. STOP USING MICROSOFT STUFF. Get off LinkedIn. Let's all go in on another VCS. Until open source developers put their money with their mouth is, Microsoft will continue to suck in more ways than one.
I would disagree with this, it's the same amount of community effort as it's always been. Big projects have big governance, and receive lots of patches. Smaller projects receive fewer patches. The community generally happens in Discord or IRC or on mailing lists, but it definitely exists.
The real threat to "community effort" are drive-by low-effort LLM-generated Pull requests that decrease the signal-to-noise ratio by a lot and make managing open source projects such a slog
You can always find bad examples. The good news is there’s still lots of good ones out there right now. No point in being defeatist about it, just do what you can
So, in terms of a security project an Akritas would be you running an EDR agent on a machine that you own, not some of the signatory companies who basically do not own anything on the edge (end user equipment).
GitHub could only exist because it was built on top of git, which is also GPL licensed. This is not the only example but should be the immediate one since nearly a vast majority of devs touch git on a daily basis.
Maybe stop listening to your legal team and actually think for a moment. GPL doesn't prevent commercialization, what it does is make sure everyone contributes to the same project equally. Shocker, corporations do not want to contribute to the common good they want to rat fuck it into submission for profit.
Remains to be seen whether history will repeat itself: when the tax breaks/ free AI use stops, will anyone keep doing this?
Disclaimer: I have had nothing to do with this initiative, and was not consulted on the name.
I'm not an open source maintainer so I could be completely off base here.
Open source would look drastically different, for the better I might add, if devs had a real choice in what to invest in.
Corporate control of open sources has not benefited devs or society as it stands. Continuing to let corporations control should not continue to stand. There is no reason why big tech can have taxes imposed on them where the public can decide what is best for them and not the devs at Meta that are fine with profiting from a genocide or mass misery.
Someone needs to fix a memory leak here.
Atom was famously slow. Even among people using it and championing it.
VSCode totally wowed people not just because it was faster, but because it was essentially the first «real» Electron-app which proved Electron-apps could have near native performance.
You got this part 100% backwards.
https://httpd.apache.org/ABOUT_APACHE.html
> We realize that it is often seen as an economic advantage for one company to "own" a market - in the software industry, that means to control tightly a particular conduit such that all others must pay for its use. This is typically done by "owning" the protocols through which companies conduct business, at the expense of all those other companies. To the extent that the protocols of the World Wide Web remain "unowned" by a single company, the Web will remain a level playing field for companies large and small. Thus, "ownership" of the protocols must be prevented.
Last but not the least, many people are very ill-informed about GPL and how it works. I experience this when we discuss this with peers.
This is why I only use copyleft (or non-commercial/share-alike) licenses on what I build/produce/put out.
I don't think that's true at all. Try running Zed or Sublime.
The Godot foundation picked MIT for a good reason. If your legal team says no GPL then no GPL. This has been standard practice for decades.
It's your linter
And Electron apps do not have near native performance lmao Not even close. And neither does VS Code haha. Definitely slow just like Atom.
You missed the point
Not every airport is a huge commercial building with hundreds of people (also, you wouldn’t visit one of those to parachute jump). Some are akin to cozy shacks without a lot of traffic where you’re in and out in no time.
They mostly do not.
They only demand that you offer the source code to anyone that asks for it if you also distribute any kind of executable (you may even charge to cover the costs of the distribution).
The AGPL expands this to SaaS's too to close that loophole.
Accepting 'Big Changes' from people is VERY frustrating. These thoughts run through my head.
* Idea is usually good! Even if I don't understand it could help lots of others users.
* The contributor is very focused on just getting their feature in. The impact on the larger project isn't as much a concern.
* New contributors often don't have the grit to see it out. They will disappear before things are done. So I am left picking up the pieces (which is harder then doing it all myself)
----
What I try and remember is that their happiness/experience matters more then any code. I try to help the contributor learn/grow as much as possible and even see some career benefits out of it. Pion will cease to matter eventually, so I hope to help as many programmers with it as possible.
The changes you make to a game engine are almost never the important part of your game's IP.
I guess you could sell the game ready to play, and then upload its source code without needed assets somewhere else.
Most companies aren’t going to be ok with this.
I know when I write a project, I just MIT license it. If some of the code I wrote helps you get your job done, go for it.