Linux Foundation Launches Akrites To Coordinate AI-Driven Open Source Security (nerds.xyz) 17
BrianFagioli writes: The Linux Foundation has announced Akrites, a new initiative to coordinate vulnerability disclosure and remediation for critical open source software as AI dramatically speeds up vulnerability discovery. Founding members include AWS, Google, Microsoft, OpenAI, Red Hat, NVIDIA, IBM, Cisco, JPMorganChase, and others. Akrites will provide a shared Security Incident Response Team (SIRT), a standardized coordinated vulnerability disclosure process, and act as a "maintainer of last resort" for abandoned but widely used packages.
The goal is to reduce duplicate reports, avoid conflicting patches, and help upstream maintainers address vulnerabilities before they can be exploited. As AI makes it easier to find security flaws, can a coordinated industry effort help protect open source, or does it risk giving large corporations too much influence over the ecosystem? "Akrites is the largest coordinated effort in history to create systems and deploy tooling that leverages the collective power of the community to make everyone safer," the Linux Foundation said in an open letter. "Akrites participants will contribute engineering resources; work to build and ship fixes; or fund the engineers who do. Some companies have contributed mightily already. The reality is, collectively, we need to contribute more."
The goal is to reduce duplicate reports, avoid conflicting patches, and help upstream maintainers address vulnerabilities before they can be exploited. As AI makes it easier to find security flaws, can a coordinated industry effort help protect open source, or does it risk giving large corporations too much influence over the ecosystem? "Akrites is the largest coordinated effort in history to create systems and deploy tooling that leverages the collective power of the community to make everyone safer," the Linux Foundation said in an open letter. "Akrites participants will contribute engineering resources; work to build and ship fixes; or fund the engineers who do. Some companies have contributed mightily already. The reality is, collectively, we need to contribute more."
I invented attribution (Score:1)
LLM driven security is a scam (Score:2, Troll)
If does not work and cannot work. LLMs are both far too limited and far too unreliable to be useful. They can create a massive sense of false security though. And while they need to be run on software (because attackers will do it), that does not make that software secure.
Stop believing LLMs are magic. They are not.
Re: (Score:3)
If does not work and cannot work. LLMs are both far too limited and far too unreliable to be useful. They can create a massive sense of false security though. And while they need to be run on software (because attackers will do it), that does not make that software secure.
Stop believing LLMs are magic. They are not.
You should subscribe to some security mailing lists. Even absent that it's hard to believe you have not noticed the massive increase in CVEs since everyone started using frontier models. Fortunately the vast majority of them are EOP and DOS and not RCEs, but one thing they are not is imaginary.
Re: (Score:1)
I do know about the increase in CVEs. But since I have some actual understanding of the matter, I can see it is NOT a good thing. LLMs massively advantage attackers, while helping defenders very little.
And, quite frankly, some of these newly found vulnerabilities are just the result of shoddy coding and no tool use. For example, use-after-free is NOT something that only an LLM or manual review finds. It is not something that is even exploitable with reasonable coding practices. Even frigging plain GCC has a
Re: (Score:1)
Re: (Score:2)
Says the moron to the expert.
Re: (Score:1)
Touch grass, a self proclaimed "expert" isn't worth much.
You are correct about the fact that some of those vulnerabilities could have and should have been found. The fact that they weren't, only confirms that using AI actually helps defenders as well.
But I fail to see, how using AI to help defenders would be "NOT a good thing". Are you suggesting to put the cat back to the bag and prohibit the use of AI to poke software? Attackers aren't known for following laws, this would only inhibit the defence. Are you
Re: (Score:3)
since I have some actual understanding of the matter, I can see it is NOT a good thing.
I did not comment on whether it is good or bad, only that the tools do actually provide some valid and useful results. The exploding list of CVEs is clear evidence of that.
LLMs massively advantage attackers, while helping defenders very little.
No doubt about it, but that said any serious defenders not using the same tools are still handicapping themselves.
And, quite frankly, some of these newly found vulnerabilities are just the result of shoddy coding and no tool use.
No argument here. The unfortunate reality is that there is an astounding amount of shoddy code out there, and that long predates AI. Not just the likes of Microsoft and Mozilla using AI to fix hundreds of bugs recently. Li
A bug, is a bug, is a bug (Score:2)
The sad part is when folks see all these reported bugs and decide to abandon the software altogether as a result, which is something we have been seeing with kernel drivers for old hardware which, quite frankly
Re: (Score:2)
You miss the point. LLMs are incapable of finding all the exploits for defenders they can find for attackers. And manual analysis by attackers can still find a _lot_ more that are out of LLM reach.
Re: (Score:1)
This claim doesn't make much sense. Manual analysis is off topic, nothing changed about this by the introduction of LLMs.
Why would LLMs somehow act worse when used by defenders? Are you assuming that the only attackers are nation states with virtually unlimited budget? Isn't rising the budget for defenders what the news is about?
Re: (Score:2)
Is this really their topic? Shouldn't EFF and ACLU be active against these laws?
Etymology (Score:2)
Re: (Score:2)
Linux is now a testcase for sketchy tech (Score:2)
Re: (Score:2)
Sure Rust it, AI it--what's next?
Writing userspace stuff in BPF [wikipedia.org] so it can run super fast within the kernel. Starting with systemd.