The Linux Foundation announced Akrites in early 2025, introducing it as a shared Security Incident Response Team (SIRT) and Coordinated Vulnerability Disclosure (CVD) process for open-source projects. This isn't a response to a specific breach but to the growing gap between how fast vulnerabilities appear and how fast maintainers can respond.
Here's why this matters for your compliance program: Akrites signifies a shift from the traditional "each project handles its own security" model, which is faltering under AI-accelerated threat discovery.
What Happened
No servers were compromised, and no data was exfiltrated. Instead, the Linux Foundation and OpenSSF participants assessed current vulnerability disclosure timelines and made a structural decision: critical open-source projects need shared incident response infrastructure.
Akrites establishes:
- A centralized SIRT for multiple projects
- A standardized CVD process across participating projects
- Shared resources for triage, analysis, and coordinated disclosure
The trigger wasn't a single event but the ongoing pressure of AI-driven vulnerability research finding flaws faster than individual maintainers can respond.
The Timeline That Matters
This isn't a post-mortem timeline but a capability timeline:
Before Akrites:
- Each critical open-source project maintained its own security response process
- Disclosure coordination occurred project-by-project, often through email
- Researchers reported the same class of vulnerability to multiple projects separately
- No shared infrastructure for embargo management or cross-project impact analysis
With Akrites:
- Participating projects route vulnerability reports through a shared SIRT
- CVD process applies consistent timelines and disclosure practices
- Cross-project impact analysis happens at intake, not after public disclosure
This addresses the challenge of coordinated disclosure when a vulnerability affects multiple projects, such as a flaw in a widely-used parsing library.
Which Controls Were Missing
This isn't about failed controls but about controls that don't scale to the current threat environment.
Missing at the ecosystem level:
- No standardized intake process for vulnerabilities affecting multiple projects
- No shared embargo management across project boundaries
- No centralized capability to assess cross-project impact before disclosure
- Inconsistent application of CVD timelines
What your dependency management process likely lacks:
- Visibility into whether your dependencies participate in coordinated disclosure frameworks
- SLAs for the time between private notification and public disclosure
- Processes that account for vulnerabilities disclosed to multiple projects simultaneously
What the Standards Require
ISO/IEC 27001:2022 Annex A.5.24 requires "information security incident management planning and preparation." For organizations using open-source software, this means understanding how your dependencies handle vulnerability disclosure—not just whether they patch quickly.
The NIST Cybersecurity Framework v2.0 function PR.IP-12 addresses "a vulnerability management plan developed and implemented." If your plan assumes advance notice of vulnerabilities through vendor channels, you're operating on an outdated model for open-source components.
PCI DSS v4.0.1 Requirement 6.3.2 requires maintaining an inventory of bespoke and custom software and third-party software components. Akrites doesn't change this requirement but alters the operational context—you need to know which of your dependencies participate in coordinated disclosure processes.
SOC 2 Type II CC7.4 evaluates how the organization responds to identified security incidents. For service providers built on open-source infrastructure, your incident response timeline is constrained by your dependencies' disclosure practices. Akrites provides a known framework; projects outside it remain variables.
Lessons and Action Items
For your vulnerability management program:
Inventory your critical dependencies and their disclosure practices. Track whether they participate in coordinated disclosure frameworks. Projects in Akrites offer predictable timelines.
Adjust your patch SLAs based on disclosure model. If a dependency uses coordinated disclosure, you typically get advance notice. If it doesn't, public disclosure equals immediate action.
Establish monitoring for cross-project vulnerabilities. When a flaw affects multiple projects, you need to know about all of them—not just the first disclosure.
Review your vendor risk assessments for open-source components. Ensure they ask about participation in coordinated disclosure frameworks, not just the existence of a vulnerability disclosure policy.
For compliance teams specifically:
Map your dependencies to your compliance scope. Document the disclosure process for each component. Akrites participants provide a known model; others require individual research.
Incorporate this into your third-party risk management process. Open-source projects are third parties—apply the same rigor to understanding their security practices.
What to do this quarter:
Run a dependency audit focused on disclosure practices, not just license compliance. For each critical dependency, determine if it has a published security policy and participates in a coordinated disclosure framework. Assess the typical timeline from private report to public disclosure.
If you find critical dependencies without formal CVD processes, decide whether to accept the risk or replace the dependency with one offering more predictable disclosure timelines.
Akrites won't prevent vulnerabilities but provides infrastructure for managing them in a scalable way. Your job is to understand which of your dependencies use that infrastructure—and plan accordingly for those that don't.
