Amazon Web Services、Anthropic、Chainguard、Cisco、Citi、Endor Labs、Ericsson、Google、IBM、JPMorganChase、Microsoft、GitHub、NVIDIA、OpenAI、RapidFort、Red Hat、Rust Foundation、Sonatype、Vodafone、Zscalerが連携し、世界中で利用されるオープンソースソフトウェアの脆弱性を発見・修正し、責任ある情報開示を推進する取り組みに参画
概要
2026年6月25日 サンフランシスコ発 — オープンソースを通じた大規模イノベーションを推進する非営利団体 Linux Foundation は本日、AIを活用した脆弱性発見の時代において、世界で最も重要なオープンソースソフトウェアのセキュリティ強化を目的とした業界横断の共同イニシアチブ「Akrites」を発表しました。本イニシアチブには、Amazon Web Services、Anthropic、Chainguard、Cisco、Citi、Endor Labs、Ericsson、Google、IBM、JPMorganChase、Microsoft、GitHub、NVIDIA、OpenAI、RapidFort、Red Hat、Rust Foundation、Sonatype、Vodafone、Zscalerが創設メンバーとして参画しています。主要なテクノロジー企業、AI研究所、金融機関、セキュリティベンダーが結集し、広く利用されているオープンソースプロジェクトの脆弱性が悪用される前に、アップストリームのメンテナーと連携して修復を行うという共通の使命を担います。
オープンソースソフトウェアは、金融、医療、エネルギー、運輸、通信、政府機関に至るまで、現代のデジタル経済のほぼすべての層を支えています。Akritesは、重要なインフラを運用する組織やオープンソースの利用者を支援・保護するための業界横断の連携を実現します。従来、オープンソースソフトウェアの深刻な欠陥を発見・修正するには、攻撃者と防御者の双方に同等の専門知識が必要でした。しかし現在では、最先端のAIモデルが主要なオープンソースプロジェクトをスキャンし、数分で脆弱性を表面化させることが可能です。こうした能力が広く利用可能になれば、これまで高度なサイバー攻撃を行うだけの技術力を持たなかった攻撃者であっても、短期間でそのための手段を手にすることになります。
Akritesの発足にあたり、創設メンバーはテクノロジー業界に向けた共同公開書簡「We All Depend on Open Source. We Will Defend It Together.」を公開しました。書簡全文は、AkritesのWebサイト https://akrites.org/letter/ でご覧いただけます。
これまでのセキュリティ対応では、複数の組織が同じ問題に対して個別に対応することが多く、内容の異なる修正パッチが提供されたり、メンテナーに重複した脆弱性報告が数多く寄せられることがありました。Akritesは、このような従来の対応のあり方を変えます。本イニシアチブは、脆弱性への対応、修正、情報開示を一元的かつ信頼できる形で調整するための共通基盤を提供します。共有のセキュリティインシデント対応チーム(SIRT)が、個別に寄せられる重複した報告に代わって、メンテナーとの連携を一元的に担います。また、Akritesは、重要インフラの運用組織と連携し、脆弱性が悪用される前に修正パッチを展開できるよう支援することを約束します。
この取り組みは、機密性の保持が中核を成しています。バグの修正は、それぞれのプロジェクトのメンテナーの意向に基づき、元のプロジェクトに反映されます。重要なパッケージにアクティブなメンテナーが存在しない場合、Akritesが最後の受け皿としてメンテナーの役割を担い、最新バージョンへの修正が迅速かつ確実に利用者へ届けられるよう支援します。さらに、本イニシアチブは政府の取り組みとも連携し、官民のセキュリティ対応が足並みをそろえて進められるよう調整を行います。
Linux Foundationが運営する特定目的基金「Alpha-Omega」が、Akritesを支援するためのシード資金を提供します。重要なオープンソースソフトウェアのセキュリティ強化に向けて、エンジニアリングリソースや資金を提供する組織の参加を歓迎します。詳細および参加方法については、AkritesのWebサイト https://akrites.org をご覧ください。
“Frontier AI models have given defenders the ability to find and fix vulnerabilities in open source software at a speed and scale that were never possible before. That's an enormous opportunity for defenders, and Akrites ensures we seize it together. Maintainers deserve a coordinated partnership, not a flood of reports. AWS is committed to securing the projects our customers depend on and building this shared infrastructure alongside the community.”
– Matt Wilson, Vice President and Distinguished Engineer, Amazon Web Services
"Open source projects collectively underpin much of the internet, and the existing model for coordinated disclosure has been outpaced by how quickly AI can now find vulnerabilities. Getting ahead of that requires the industry to coordinate on findings and get fixes upstream before they're disclosed and exploited. Efforts like Akrites drive this level of coordination at the scale and speed this moment requires."
– Jason Clinton, Deputy Chief Information Security Officer, Anthropic
"The software supply chain is only as strong as the upstream it draws from, and we see how thin that layer really is. As AI finds more vulnerabilities, the industry will rush to patch them. Without coordination, those fixes will fragment across different patches and forks, and maintainers who are already overwhelmed, unreachable, or haven't touched a project in years. Akrites gives the industry one coordinated way to fix vulnerabilities upstream before they're exploited, with maintainers still in control. Now the work is making sure there's always someone on the other end to catch them."
– Dan Lorenc, CEO and Co-founder, Chainguard
"Finding a serious open source vulnerability used to take an expert weeks. It now takes a machine minutes. When maintainers lose that race, so does everyone else. No single company, no single maintainer, and no single government can close that gap alone. That is why Cisco is bringing its networking infrastructure, security expertise, and decades of open source contribution to Akrites - because defenders cannot afford to lose, and maintainers cannot be left to run this alone."
– Vijoy Pandey, Senior Vice President and General Manager, Outshift by Cisco
“Advances in AI models have significantly reduced the effort required to discover and exploit vulnerabilities. In partnership with the Linux Foundation and Project Akrites, Citi is committed to supporting the open-source ecosystem by helping to build a framework that identifies and remediates vulnerabilities and shares proposed patches. Focused on securing critical infrastructure, this initiative is a key part of our efforts to help the industry mitigate emerging threats.”
– Al Tarasiuk, Chief Information Security Officer, Citi
"For years we have believed finding vulnerabilities was never the hard part. Fixing them was. AI has made that gap impossible to ignore. Of the thousands of validated open source vulnerabilities surfaced in recent months, fewer than 5% have been patched. Endor Labs is a founding member of Akrites because it is built for the response this moment needs: coordinated remediation upstream, handled confidentially, with maintainers in control, so one trusted fix reaches everyone who depends on the code."
– Varun Badhwar, CEO and Co-Founder, Endor Labs
“Vulnerability discovery is now moving at a speed that overwhelms both the maintainers who sustain open source projects and the users who rely on them. Uncoordinated reporting, patching, and disclosure create friction, putting the entire ecosystem at risk. No single organization can solve this alone. That is why Ericsson is joining Akrites as a Premier member, contributing funding and talent to a shared effort to keep open source software secure and thriving.”
– Mikko Karikytö, Chief Product Security Officer, Ericsson
“As AI accelerates both the scale and speed of vulnerability discovery, defending the open source ecosystem requires an equally rapid, coordinated response. By joining Akrites, we are combining Google's long-standing commitment to open source security with industry-wide expertise to ensure that vulnerabilities are found, fixed, and responsibly disclosed before they can be exploited. Safeguarding the software that powers the world's critical infrastructure is essential to maintaining trust in our digital future.”
– Heather Adkins, Vice President Security Engineering, Google
“Open source powers the systems we rely on every day – running everything from banks and hospitals to power grids and AI platforms. As frontier AI accelerates vulnerability discovery, the risk has grown too large for any one organization to address alone. That’s why an ecosystem approach is critical, bringing the community, technology providers, and enterprises together to ensure vulnerabilities are addressed and at the new speed required today.”
– Jamie Thomas, Enterprise Security Executive, IBM
“AI has massively compressed the time between vulnerability discovery and exploitation to near real time, which means we have to compress the time from fix to deployment. That’s why we at JPMorganChase are helping to build this effort to measure success in patch deployment, not patch publication. We support a mechanism that enables downstream operators of critical infrastructure so that fixes reach real systems before adversaries can turn disclosures into exploits. And upstream, we owe maintainers a single, reliable signal: confirmed vulnerabilities, well-tested proposed fixes, and a predictable partner they can trust, rather than a flood of duplicative, conflicting reports.”
– Pat Opet, Chief Information Security Officer, JPMorganChase
“OpenSSF and Alpha-Omega demonstrated what is possible when industry comes together to strengthen open source security. Building on our experience co-founding these organizations, Akrites was created to address the emerging inflection point of AI-powered vulnerability discovery and defense. As a founding member, Microsoft and GitHub will contribute expertise, resources, and AI technologies to help responsibly identify and fix vulnerabilities across the open source software ecosystem that customers and organizations depend on.“
– Mark Russinovich, Azure Chief Technology Officer, Deputy Chief Information Security Officer and Technical Fellow, Microsoft
“Transparency and open collaboration are how the cybersecurity community has kept infrastructure safe for decades. In the age of AI, these open source foundations have never been more critical. Open source AI is the engine of American innovation — and one of our most powerful tools for deploying AI with the security, trust, and transparency needed to power this industrial revolution.”
– David Reber, Chief Security Officer, NVIDIA
“The world runs on open source, and securing it is a long-term commitment for us at OpenAI. Through Patch the Planet, we’re putting our models and resources behind expert-led work that helps maintainers validate issues and land fixes, and we're proud to participate in Akrites to strengthen coordination across the industry and help defend the software we all depend on.”
– Clint Gibler, Cyber Lead, OpenAI
“Open source only works when we keep the work open, upstream, and available to everyone who depends on it. The answer to the AI-driven vulnerability crisis is not to fragment the ecosystem behind proprietary walls or turn community foundations into closed products. It must be coordinated remediation that preserves the integrity of original software, works with maintainers, and returns fixes to the commons. We are proud to support the Akrites initiative which aligns with our belief of strengthening the open source ecosystem from within, helping organizations reduce risk without unnecessary code changes, and making the software we all share safer for everyone.”
– Mehran Farimani, CEO, RapidFort
“Open source is the foundation of modern software innovation. Defending that foundation requires a coordinated, upstream community response capable of meeting threats at scale. Red Hat’s participation in Akrites focuses on strengthening this upstream ecosystem. By collaborating openly to identify and patch vulnerabilities at the source, we help build a more resilient software supply chain for the entire industry.”
– Chris Wright, Chief Technology Officer and Senior Vice President, Global Engineering, Red Hat
“For too long, the goodwill and sense of responsibility among upstream maintainers has been taken for granted in security response processes. Akrites promises meaningful coordination with upstream maintainers, financial, and full-time support to find, fix and disclose security vulnerabilities responsibly, and a genuine commitment from the most influential companies across tech and finance to solve this problem. The Rust Foundation looks forward to working with Akrites to develop security that is fit for the future.”
– Rebecca Rumbul, Executive Director and CEO, Rust Foundation
“Sonatype sees the dependency graph of the modern world every day. A single vulnerable component can sit underneath thousands of organizations, which means one upstream fix can reduce risk across an entire ecosystem. AI may make vulnerability discovery dramatically easier, but it does not make coordinated repair automatic. Akrites is important because it gives the industry a confidential way to do that work together, upstream, before the same flaw becomes thousands of separate incidents.”
– Brian Fox, Co-founder and Chief Technology Officer, Sonatype, and Steward of Maven Central
“With the increasing ability of AI to fast-track vulnerability discovery, now is the right time to come together and invest resources to safeguard critical open-source software on which telecommunications and many other industries rely on. As a founding member, Vodafone has committed both expertise and funding to Akrites. This unified initiative will drive a co-ordinated, industry-wide approach to responsibly identify and fix vulnerabilities in the software that runs the systems upon which the world depends.”
– Paul Hopkins, Cyber & IT strategy and Architecture Director, Vodafone
“AI has changed the speed of both offense and defense. Vulnerabilities can now be found at machine speed, which means defenders have to move just as fast. Akrites helps turn that speed into an advantage for the open source ecosystem by finding issues earlier, coordinating remediation responsibly, and pushing fixes upstream. Zscaler is proud to be part of it.”
– Deepen Desai, Executive Vice President and Chief Security Officer, Zscaler
###
Akritesについて
Akritesは、重要インフラが依存するオープンソースソフトウェアの脆弱性について、修正と情報開示を機密保持のもとで連携して進める取り組みです。共有のセキュリティインシデント対応チーム (SIRT) が運営する、一元化・標準化された協調的な脆弱性開示 (CVD) プロセスを提供します。このプロセスは機密性最優先の原則に基づいて構築されており、業界の確立された標準およびツール (CVE、TLP、CWE、CVSS、EPSS、SSVC、VEX) に準拠しています。詳細および参加方法については、AkritesのWebサイト https://akrites.org をご覧ください。
本記事は、Linux Foundationが発表したプレスリリース Linux Foundation and Industry Leaders Launch Akrites to Defend Critical Open Source Software Against AI-Enabled Cyber Threats の参考訳です。