
On July 1st, Daniel Stenberg put a sign on the door. The creator of cURL — the networking library embedded in roughly 30 billion devices — closed his HackerOne submission form through August 3rd and declared a “Summer of Bliss.” The bliss is from not reading vulnerability reports, because AI tools had turned his security inbox into something no volunteer can triage alone: thousands of confident, detailed, and largely fabricated bug reports generated by people using LLMs to chase bounties. Stenberg is not the outlier. He is the canary. And last month, the industry finally started taking the coal mine seriously.
The Numbers Are Not Abstract
In 2025, the global CVE count crossed 48,000 — a 20% year-over-year increase driven largely by AI-powered vulnerability scanners. By early 2026, GitHub was processing over 6,000 advisory decisions per month. The first half of 2026 produced 4.5 times the package compromise volume of all of 2025. These are not security team statistics. They are open source maintainer statistics, because those maintainers — 60% of whom work unpaid — are on the receiving end of every duplicate, every false positive, every “critical” vulnerability that turns out to be a hallucination. Attackers, meanwhile, were exploiting vulnerabilities an average of seven days before public disclosure in 2025, and that window is shrinking.
What Akrites Actually Is
On June 25th, the Linux Foundation launched Akrites — backed by 19 founding organizations including AWS, Google, Microsoft, OpenAI, NVIDIA, Anthropic, Red Hat, and the Rust Foundation. The tagline is “Patch the Commons, Together.” The substance is a shared Security Incident Response Team (SIRT) and a single, standardized Coordinated Vulnerability Disclosure process built on industry tools: CVE, CVSS, EPSS, VEX, and VINCE.
The old model worked like this: an AI scanner finds a bug, sends a report directly to the maintainer, and three more AI scanners find the same bug and send three more reports. The maintainer — probably a volunteer — spends their weekend triaging duplicates, many of which are wrong. The Akrites model interposes a SIRT between finder and maintainer: validate the finding, eliminate duplicates, assess exploitability, then coordinate a fix with the maintainer as a single point of contact. Fixes flow back to the original project repo on the maintainer’s terms. For critical packages with no active maintainer, Akrites serves as maintainer of last resort.
OSS projects and foundations can join the Associate tier at no cost. The barrier to entry is intentionally low.
Akrites Is One Piece of a Larger Shift
Three complementary initiatives went live within ten days of each other in June 2026, which is either a coincidence or evidence that the industry hit a collective breaking point simultaneously. On June 15th, Chainguard launched Athena — a coalition that pools AI-discovered vulnerability findings under embargo before disclosure. It has already processed over 40,000 findings, shipped 2,000 patches across 500 projects, and 42% of what it found was critical or high severity. On June 22nd, OpenAI announced Patch the Planet — which funds security researchers to work alongside AI models to generate and ship actual patches, not just reports, with initial partners including cURL, the Go project, and Python.
These are not competing. Athena and Patch the Planet generate findings and patches; Akrites provides the coordinated disclosure pipeline. What they share is the premise that routing AI-discovered vulnerabilities directly to individual volunteer maintainers is not a security strategy — it is a burnout strategy.
What You Should Do
If you maintain an open source project or foundation, register at akrites.org. The Associate membership is free and the alternative — staying outside the coordination layer — means you remain on the direct receiving end of the flood. If you work on an enterprise security team using AI scanners against your dependencies, route findings through Akrites or Athena rather than firing emails at maintainers. If you are a security researcher: GitHub Private Reporting exists; use it. The era of “I found a bug, I will email the maintainer at 2 AM” is not sustainable when AI can generate a hundred of those emails before breakfast.
The Part That Still Has to Be Proven
Coordination bodies are easier to announce than operate. The cURL “Summer of Bliss” is a symptom of a system already overwhelmed, and Akrites is essentially asking the people who caused the flood to route through a new channel. That requires buy-in from every AI vendor and every security team running scanners — and the enforcement mechanism is social, not technical. The real test is whether the SIRT can process thousands of findings per month while maintaining the confidentiality window that makes coordinated disclosure actually protective. Attackers exploit in seven days. Coordinated disclosure takes longer. Akrites is necessary. It is not yet proven. Both things are true.













