The open-source software that powers the world's banks, hospitals, power grids, and AI platforms is facing a fundamentally new kind of threat. Today, we are proud to announce that RapidFort is a founding member of one of the most significant coordinated responses to that threat in the history of software security.
RapidFort is a charter member of Akrites, an initiative launched by the Linux Foundation, alongside AWS, Anthropic, Cisco, GitHub, Google, Microsoft, OpenAI, JPMorgan Chase, and others. Together, we are committing to finding, fixing, and responsibly disclosing vulnerabilities in the critical open-source software the world depends on.
Why This Moment Is Different
What is happening now is not an incremental change. It is a revolutionary leap.
For decades, open source software has been one of the defining achievements of the technology industry. Built together, shared freely, and woven into the foundation of nearly every system that runs modern society. Approximately 85% of enterprise software today is open source, meaning the majority of software risk lies outside any single organization's direct control.
For most of that time, finding a serious vulnerability in a widely used open source project required expert-level skill and weeks of focused effort. That reality has collapsed. Frontier AI models can now scan a major open-source project and surface multiple vulnerabilities including chained impacts in a single pass within minutes. The same capability that can accelerate defense can, in the wrong hands, industrialize attack at a scale and speed no team of human researchers could match.
The numbers tell the story. Disclosure-to-exploit windows have compressed from 24 months a decade ago to less than 10 hours today. Enterprise remediation cycles still take weeks, if they happen at all. This is not a theoretical future risk. It is the present condition of every system we are responsible for.
What Is Akrites?
Akrites is a coordinated and collaborative initiative to remediate and responsibly disclose vulnerabilities in critical open-source software that global infrastructure depends on.
The core problem Akrites solves is fragmentation. In the past, security response involved a patchwork of organizations often working on the same problems independently, sometimes shipping conflicting patches, and frequently burying maintainers under duplicate reports. When dozens of companies independently scan the same library and each files a report, the maintainer on the other end gets buried in noise. Every additional party holding an unpatched vulnerability raises the odds that it leaks before a fix exists, which increases risk for everyone.
Akrites changes that model through four commitments.
A single, shared SIRT gives maintainers one predictable, trusted partner instead of a flood of uncoordinated reports.
A CVD process built on confidentiality-first principles and established industry tooling, including CVE, TLP, CWE, CVSS, EPSS, SSVC, and VEX.
Fixes flow back upstream into each project's original home, on maintainers' terms.
Where a critical package has no active maintainer, Akrites will serve as the maintainer of last resort so fixes reach everyone in a timely fashion.
Success is measured in patch deployment, not patch publication.
When a patch is released publicly, adversaries can use AI to rapidly reverse-engineer the underlying vulnerability, develop exploits, and launch attacks. Getting fixes into real systems before that window opens is the actual goal.
Alpha-Omega, a directed fund of the Linux Foundation, will provide seed funding to support the initiative. Organizations that contribute engineering resources or funding are invited to participate at akrites.org.
Why We Are Part of This
RapidFort was built on the conviction that Software Supply Chain Security has to be solved at the source. Akrites is a direct expression of that same conviction applied at an industry level.
As our CEO, Mehran Farimani, wrote in the founding open letter:
"Open source only works when we keep the work open, upstream, and available to everyone who depends on it. The answer to the AI-driven vulnerability crisis is not to fragment the ecosystem behind proprietary walls or turn community foundations into closed products. It must be coordinated remediation that preserves the integrity of original software, works with maintainers, and returns fixes to the commons."
This is the principle that shapes everything RapidFort builds.
RapidFort is designed around a single premise: the only scalable solution to software supply chain risk is to eliminate attack vectors before they reach production, not manage them afterward. Our approach of continuous threat elimination removes vulnerabilities at the source, across the entire software lifecycle, without requiring code changes. Organizations using RapidFort can achieve up to 99.9% reduction in vulnerabilities within hours and up to 90% reduction in software attack surface.
Akrites operates upstream: getting ahead of the vulnerability cycle at the source by working with the maintainers who own the code before those vulnerabilities propagate into production systems everywhere. The two approaches are genuinely complementary. One secures the commons while the other secures the enterprise stack built on top of it.
What This Means for the Industry
One part of this initiative deserves particular attention because it speaks to something the industry has long owed open-source maintainers.
Open source maintainers have, for years, absorbed the accelerating volume of security work that was never part of original expectations. Often, volunteers have been expected to independently process floods of uncoordinated reports from dozens of organizations, with no prioritization, no consistent support, and no acknowledgment of the burden placed on them. That model was fragile before AI changed the discovery equation. It is simply no longer viable in the age of AI.
Akrites is, at its core, an acknowledgment of that debt and a commitment to repay it through coordinated, funded upstream support. Founding members are contributing engineering talent, security expertise, and funding to harden the shared software we all depend on.
The initiative also commits to coordinating with government efforts so that public and private defenders move together rather than in a disjointed fashion. Getting fixes into real systems before adversaries can exploit disclosures requires that kind of alignment across the full ecosystem.
The Window Is Open Now
The founding Akrites letter closes with a warning worth repeating: the window to get ahead of the new open-source security reality is now open, but it will not stay open.
AI has changed the math on both sides of the equation simultaneously. It has accelerated discovery for attackers while making coordinated upstream defense possible for defenders willing to act together rather than in silos. Businesses and organizations that move now have the opportunity to build something that genuinely gets ahead of the threat cycle rather than perpetually chasing it.
We are proud to be part of that effort and we believe the best version of this outcome is one in which the open-source ecosystem remains authentically open, upstream, and available to everyone who depends on it.
That is worth defending together.
RapidFort is the leader in Software Supply Chain Security, enabling organizations to eliminate risk across their software stack at scale. Its platform combines curated near-zero CVE container images, runtime profiling, and attack surface management to remove up to 99.9% of vulnerabilities within hours and reduce the attack surface by up to 90% without code changes. RapidFort is included in the inaugural Gartner® Magic Quadrant™ for Software Supply Chain Security, a Gartner® Cool Vendor™, and a Nutanix .Next Partner of the Year.
Read the Open Letter
The founding signatories of Akrites published a joint open letter to the technology industry titled "We All Depend on Open Source. We Will Defend It Together." It is a direct, plainspoken statement of why this effort exists and what the undersigned are committing to.
Read the full letterTo learn more about Akrites or to join the initiative, visit https://akrites.org.
To learn how RapidFort helps organizations eliminate software supply chain risk at the enterprise level, visit www.RapidFort.com.
Subscribe to receive the latest blog posts to your inbox every week.
Stay in touch
Subscribe for product updates and RapidFort newsletter.
Latest posts
Eliminate Attack Vectors at the Source
Continuously eliminate up to 99.9% of CVEs without code changes
Products
Use Case
Address
440 North Wolfe Road, Sunnyvale, CA 94085
Stay in touch
Subscribe for product updates and RapidFort newsletter.
© 2026 RapidFort, Inc.
RapidFort, RAPIDFORT, and RBOM are registered trademarks of RapidFort, Inc. All other marks and names mentioned herein may be trademarks of their respective companies.
