Dynamic Discourse: Security, AI & Open Source
Jul 02, 2026 • Carly Levinsohn • 3 min read

"Artificial intelligence has collapsed the previous equilibrium between attackers and defenders, changing the equation of ease and reuse of software… We All Depend on Open Source. We Will Defend It Together."
Announced on June 25, 2026, the Linux Foundation started Akrites: an initiative to identify and address critical security vulnerabilities in open source software. The above excerpt succinctly diagnoses the impact. Supported by technology companies, financial institutions, and research laboratories, organizations are rallying behind the open source projects that make up the silent backbone of their applications.
Two days prior to launch, we published a Blitzy blog called "Open Source in the Age of AI" about the relationship between open source contributions and artificial intelligence. We will now focus on the security angle and what the evolving open source and AI relationship means for how engineering will be done going forward.
AI & Security: How Capability Becomes Vulnerability
Jim Zemlin, Executive Director of the Linux Foundation, said the average time it takes to exploit a vulnerability is negative seven days. Flaws can be weaponized before defenders know they exist.
Open source absorbs a large portion of that risk. A joint Linux Foundation and OpenSSF report found that 96% of modern codebases contain open source components, so one unpatched library can ripple through banking, healthcare, and energy infrastructure at once.
Discovering vulnerabilities outpaces remediation. Endor Labs, a founding member of Akrites, reported that less than 5% of recently validated open source vulnerabilities had been patched.
Akrites targets the gap directly. A shared Security Incident Response Team takes in reports, deduplicates them, and coordinates a single disclosure instead of a hundred scattered ones. For critical packages that have outgrown their maintainers, Akrites can even step in as a last resort.
The distance between finding a flaw and fixing it does not lie just in processes. The problem is also a cognitive one — for which psychologists already have a name.
System 2 AI & Linus Torvalds
In Thinking, Fast and Slow, psychologist Daniel Kahneman splits human cognition into two modes. System 1 is the fast, automatic machine for instant pattern recognition. System 2 works deliberately, approaching problems by tracing, testing, and resolving conflicts properly.
Most AI vulnerability scanning falls in the System 1 category. These tools are very fast and effective at detecting bugs.
What happens when System 1 technology attempts System 2 tasks? Linus Torvalds has spent the past few months battling the kernel's now-unmanageable private security mailing list. The inbox drowns under duplicate reports from researchers running the same tools against the same code.
The system distinctions Torvalds draws are rooted in understanding and context:
"People who know what they're doing to understand systems will be able to prompt tools to write good code."
With one comes the inverse: "people who don't understand the complexity of systems will also prompt systems and write processes that will fail".
This philosophy of shared expertise is exactly why the Linux kernel's new contribution policy requires an "Assisted-by" tag for AI-generated code rather than treating it the same as a human sign-off.
True open source contributions come from verified, working fixes. Tools can write the pattern, but a person still has to own what the code means.
Blitzy's Position
Akrites is building a coordination layer that this critical junction between agentic and human engineering needs. By developing a shared process, maintainers face one trusted partner rather than separate reporters.
Blitzy is built to operate at the layer underneath, doing the System 2 work that coordination alone cannot replace. This claim is not theoretical but directly supported by all of the open source projects Blitzy has contributed to in our Open Source Enhancement Initiative: dnsmasq, curl, zlib, WebVella, HeavyThing, and WordPress.
The founding members of Akrites — Anthropic, AWS, Google, Microsoft, OpenAI, and others — are effectively agreeing that AI-native discovery needs an AI-native, System 2 partner.
In only one week, the open source landscape has changed. Akrites gave the industry a coordination layer, and Linus Torvalds set the standard. Blitzy builds for enterprises as a System 2 AI, maintaining the open source standard for technical excellence.
