The Akrites project has been announced to coordinate the patching of vulnerabilities and disclosing information about vulnerabilities in critical open source software.
The project was created under the wing of the Linux Foundation with the participation of Amazon Web Services, Anthropic, Cisco, Ericsson, Google, IBM, Microsoft/GitHub, NVIDIA, OpenAI, RapidFort, Red Hat, Sonatype and Vodafone, as well as the non-profit organization Rust Foundation.
The project participants will provide funding, engineering resources and expertise in the field of computer security to create a joint computer security incident response team (SIRT, Security Incident Response Team). The created team will be engaged in identifying new vulnerabilities, analyzing and checking vulnerability reports, confirming the level of danger, developing fixes together with the maintainers of open projects and coordinating the process of disclosing information about vulnerabilities. Disclosure of information about vulnerabilities will be synchronized with the release of fixes in main projects, distributions and dependent products.
It is noted that while previously creating exploits required expert knowledge and a lengthy development process, the modern capabilities of AI tools allow unskilled attackers to create a working exploit in a matter of hours, using patch information from eliminating the problem. If a fix for a vulnerability is released without explicit publicity about the connection with security problems, users and developers of dependent projects can ignore the update, and attackers, using AI tools, can quickly prepare an exploit to begin attacking unupdated systems.
In such conditions, it becomes important to promptly fix the problem, prevent information leaks during the development of patches, simultaneously with the publication of the fix, disclose information about the vulnerability and inform users about the need to install the update. Separately, work will be carried out to inform operators of critical infrastructure, important services and projects about vulnerabilities, since from the point of view of blocking potential attacks, it is not so much the publication of a patch that is important, but its operational application.
In addition, the project aims to relieve the burden on maintainers, taking on work such as filtering out duplicate problem reports, confirming the presence of vulnerabilities and providing assistance in the development and testing of fixes.
When vulnerabilities are identified in important packages that remain without active maintainers, the Akrites project will take on the work of preparing and integrating fixes into them.