惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Cloudbric
Cloudbric
有赞技术团队
有赞技术团队
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
T
Threat Research - Cisco Blogs
L
LangChain Blog
Simon Willison's Weblog
Simon Willison's Weblog
Project Zero
Project Zero
Latest news
Latest news
S
Schneier on Security
Cisco Talos Blog
Cisco Talos Blog
MyScale Blog
MyScale Blog
C
Check Point Blog
IT之家
IT之家
P
Palo Alto Networks Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
C
CERT Recently Published Vulnerability Notes
Scott Helme
Scott Helme
The Hacker News
The Hacker News
C
CXSECURITY Database RSS Feed - CXSecurity.com
G
Google Developers Blog
T
Tor Project blog
T
Threatpost
D
DataBreaches.Net
博客园 - 【当耐特】
酷 壳 – CoolShell
酷 壳 – CoolShell
T
Troy Hunt's Blog
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Vercel News
Vercel News
云风的 BLOG
云风的 BLOG
NISL@THU
NISL@THU
P
Privacy & Cybersecurity Law Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
C
Cisco Blogs
博客园_首页
S
Securelist
T
The Exploit Database - CXSecurity.com
Last Week in AI
Last Week in AI
量子位
U
Unit 42
Know Your Adversary
Know Your Adversary
Hugging Face - Blog
Hugging Face - Blog
S
Security Affairs
Google Online Security Blog
Google Online Security Blog
Hacker News: Ask HN
Hacker News: Ask HN
Webroot Blog
Webroot Blog
S
SegmentFault 最新的问题
Engineering at Meta
Engineering at Meta
N
News and Events Feed by Topic
P
Proofpoint News Feed
阮一峰的网络日志
阮一峰的网络日志

The New Stack | DevOps, Open Source, and Cloud Native News

Agentic development hinges on verification. For cloud-native software, that is a runtime problem. AI agents need infrastructure: Why Europe’s regional cloud strategy matters Transform your AI coding agent into a deterministic Java Spring expert WeAreDevelopers is coming to the US to give unsung developers a bigger voice Cleaner AI training data, fewer bugs: Sonar’s SonarSweep explained Observability overload is drowning engineers Google’s DiffusionGemma is 4x faster than its other Gemma models Fable 5: Guardrails and burn rate are annoying users, who say it’s still better than Opus 4.8 The Anthropic leader who built Claude Code says he ditched prompting — now he just writes loops. AWS can now mathematically prove your VMs are isolated Microsoft pulled 73 GitHub repos after malware attack — but still won’t say who’s compromised Databricks wants to kill the “email me a file” problem for AI agent skills Ramp bets forward deployed engineers can do what off-the-shelf finance AI can’t Git real: AI agents aren’t just for solo developers anymore Anthropic launches Claude Mythos/Fable 5, but you better try it soon This AI agent startup ditched Anthropic for DeepSeek — and says it’s saving millions When your data model is the bottleneck: lessons from Medium’s feature store How long before we stop reading the code? The tokenmaxxing party is over, and Revenium is mopping up How AI is solving the memory crunch it created Microsoft’s pitch to enterprises: Ditch Azure Repos for GitHub, despite its rocky reliability record Claude Code’s biggest upgrade yet ran 5 agents at once — here’s what happened Why Anthropic just doubled Claude Cowork limits at no charge For years, Apache Cassandra handed this work to your team — 6.0 takes it back “A dangerous combination”: The 2 factors that can “corrupt” AI agent workflows With Foundry, Microsoft bets the enterprise AI battle is about reliability, not capability Microsoft unlocks Visual Studio for developers left behind by its own AI AI teams now deploy 1,000 times a month. Your pipeline wasn’t built for that. Microsoft just made the agent runtime free — and kept everything around it “Whoever builds the most joyous product wins”: The agent war begins Netlify CTO Dana Lawson: Writing code is no longer the job From Jupyter Notebook to production: How to ship AI systems that actually work OpenClaw used Gavriel Cohen’s code and exposed the AI Agent accountability problem Replit shows how vibe coding is getting its own financial stack — and a path to profit Cloudflare aqui-hires VoidZero: Did a piece of the open web just stabilize, or become more brittle? Cursor cuts prices and adds enterprise spend controls amid “tokenomics” reckoning Google Gemma 4 12B nearly matches 26B benchmarks — and runs on your laptop Snowflake thinks it knows what’s really slowing developers down Autonomous agents have met their biggest challenge yet: The database. Why agentic AI makes the ops platform the most important layer in the enterprise How to dramatically improve enterprise security alert tuning to battle cyberattacks Why the need for humans won’t disappear in the age of autonomous databases How to secure Kubernetes in the age of AI workloads Asana says its new AI “chief of staff” turns your Slack chaos into trackable work Nvidia’s best model is now live Mate Security’s Asaf Wiener made every backend engineer a model router. He’s right to. The AI cost crisis finally has a watchdog — just not the companies causing it How to get operational data off the factory floor without creating an IT breach Why CPUs still matter in the age of AI agents Rayfin: Microsoft’s answer to the gap between vibe coding and enterprise production Microsoft bets the enterprise AI race will be won on data context, not model power “A successful attack could be catastrophic”: Anthropic gives more groups access to Claude Mythos How GitHub plans to win developers back Microsoft really, really, really wants developers to love Windows again With Intelligent Terminal, Microsoft is reinventing the Windows terminal Microsoft debuts “Scout” at Build, a new personal agent for work OpenAI’s Codex adds new tools — Sites, Annotations, more plugins — for knowledge workers GitHub Copilot’s usage-based billing is live: Here’s what you need to know OpenAI, Anthropic, Google, Amazon, and xAI all fail on type of attack, study finds JetBrains open-sources Mellum2 to go where Claude Code can’t Claude Code vs. Cursor vs. Codex vs. Antigravity — six months in This coding agent doesn’t want your feedback — it ships without it “Blowing things up”: The one move vendors got wrong on AI agents At Sapphire, SAP makes the case that enterprise AI is a context problem Gavriel Cohen found his own code inside OpenClaw, so he walked away AI retrieval at scale is becoming a systems problem, not a tooling problem The DIY platform trap that’s burning out engineering teams I tested Cursor’s new Jira integration and it’s 5 stars, no notes. Here’s why. Why GPT-5.4, Claude, and Gemini can’t agree on basic, real-world facts Replit’s vibe coding platform just got a Visa-backed identity layer for AI agents — and it changes how agents spend money Opus 4.8 Made Claude Smarter. Token Discipline Got Urgent. Why Linux creator Linus Torvalds gets angry hearing “99% of code is AI” Vendor neutrality isn’t magic: A hard look at the OpenTelemetry ecosystem “The AI did it” won’t save you when EU regulators come knocking The fix for soaring AI cloud bills exists — so why won’t we trust it? AI is shipping code faster than security was built to handle Why AWS scrapped OpenSearch’s architecture to chase agent workloads Claude Opus 4.8 is here: effort controls, dynamic workflows, cheaper fast mode, better honesty, less deception Percona celebrates 20th birthday with new foundation — and a goat cake Why OpenAI and Anthropic are hiring forward deployed engineer teams Claw-style AI agents are coming to the enterprise. The governance infrastructure is still catching up. The agentic identity crisis: Why your security isn’t ready for the AI revolution Debugging the undebuggable: building observability into probabilistic AI systems Snowflake commits $6B to AWS as it pushes deeper into AI Why MotherDuck refuses to fork DuckDB Researcher “gave Claude Code ‘ADHD’… and it thinks 2x better now.” Outside experts want more proof. “There is no accountability”: AI coding agents are installing packages no one owns “Tokenmaxxing is real, expensive & it’s spreading”: AI budgets are exploding With Google’s debut, the most important AI agent feature is now the most boring one Why AI agents need a Context Lake Google ranks the best AI for building Android apps, and the winner isn’t Gemini Google pushes Pro, Ultra, and free users from open-source Gemini CLI to closed-source Antigravity CLI The reason enterprise outages almost never start where ops teams think Taming the agentic influx: a blueprint for AI business observability How the AC/DC framework helps teams govern AI coding agents GitLab 19.0 trades its string section for a full DevSecOps orchestra Who’s monitoring the agents? How Jaeger hit 8.6× compression on 10 million spans with ClickHouse What ClickHouse learned from a year of coding with AI agents OpenClaw passed 300,000 GitHub stars. Then Google launched Spark.
After Fable 5 ban, Anthropic and 19 organizations launch open source security body
Paul Sawers · 2026-06-27 · via The New Stack | DevOps, Open Source, and Cloud Native News

The arrival of frontier AI models capable of scanning major open-source projects and surfacing multiple vulnerabilities in a single pass has handed defenders an extraordinary tool — but one that attackers can access, too.

Now, some of the biggest names in tech and industry are betting that the only way to stay ahead is to work together.

The result is Akrites, launched on Thursday by the Linux Foundation, which serves as a coordinated body to handle vulnerability discovery, remediation, and disclosure for critical open-source software.

Its founding roster spans some 20 organizations, among them AWS, Anthropic, Google, Microsoft and its GitHub subsidiary, OpenAI, Cisco, Red Hat, NVIDIA, Chainguard, Sonatype, Ericsson, Vodafone, Citi, and JPMorganChase. The initiative takes its name from the Akritai, the soldiers who guarded the Byzantine Empire’s outermost borders — the places most exposed, most frequently attacked, and most dependent on whoever showed up to defend them.

The launch comes at a volatile moment in the AI security landscape. Back in April, Anthropic released Claude Mythos through Project Glasswing, making its most capable model available to a small group of trusted partners specifically for cybersecurity defense. Then, in early June, Anthropic followed up with Fable 5 and Mythos 5 — the first generally available Mythos-class models, with built-in guardrails against misuse. Three days later, the US government suspended both after researchers found a way to use them to assist with cyberattacks.

Anthropic, notably, is one of Akrites’ founding members.

Security silo: The problem with going it alone

The open-source security model has long relied on a loose, decentralized network of maintainers, researchers, and organizations that scan for problems and report them. When finding a serious flaw took weeks of expert work, defenders had time to get ahead of it, but AI has closed that gap.

When multiple organizations independently scan the same widely used library and each files their own report, maintainers face a wall of duplicates, and the real, exploitable findings get buried in the noise. Worse, every additional party sitting on knowledge of an unpatched vulnerability increases the chances it leaks before a fix exists.

Varun Badhwar, CEO of software supply chain security company Endor Labs and a founding member of Akrites, says that AI tools have already surfaced thousands of validated open source vulnerabilities in recent months, with fewer than 5% patched — a figure from his company’s own data that hasn’t been independently verified. The hard part, he says, was never the discovery itself.

“For years we have believed finding vulnerabilities was never the hard part. Fixing them was. AI has made that gap impossible to ignore.”

“For years, we have believed finding vulnerabilities was never the hard part. Fixing them was,” Badhwar says in a statement. “AI has made that gap impossible to ignore.”

The existing model — each organization working separately, filing its own reports — is itself the problem Akrites is designed to fix. Jason Clinton, deputy chief information security officer at Anthropic, argues the model has simply been left behind.

“The existing model for coordinated disclosure has been outpaced by how quickly AI can now find vulnerabilities.”

“Open source projects collectively underpin much of the internet, and the existing model for coordinated disclosure has been outpaced by how quickly AI can now find vulnerabilities,” Clinton says. “Getting ahead of that requires the industry to coordinate on findings and get fixes upstream before they’re disclosed and exploited.”

Patch first, publish second

The core of the Akrites initiative is a shared Security Incident Response Team (SIRT) that acts as a single point of coordination for the industry. Rather than maintainers receiving a dozen separate reports about the same flaw from a dozen different organizations, the SIRT consolidates findings, validates which are genuine and exploitable, and manages a single coordinated fix and disclosure process. It uses established industry standards — CVE, CVSS, among others — and operates under strict confidentiality rules from the moment a finding comes in.

When a patch is ready, it goes back into the original project on the maintainer’s terms. For projects with no active maintainer, Akrites will step in as a fallback so a fix can still reach everyone who depends on the code.

JPMorgan Chase CISO Pat Opet explains the underlying logic: success should be measured by fixes reaching live systems, rather than by patches being published.

“We owe maintainers a single, reliable signal: confirmed vulnerabilities, well-tested proposed fixes, and a predictable partner they can trust.”

“AI has massively compressed the time between vulnerability discovery and exploitation to near real-time, which means we have to compress the time from fix to deployment,” Opet says. “We owe maintainers a single, reliable signal: confirmed vulnerabilities, well-tested proposed fixes, and a predictable partner they can trust, rather than a flood of duplicative, conflicting reports.”

The Alpha-Omega factor

Akrites is open to new members across three tiers — Premier, for critical infrastructure operators and the vendors they depend on; General, for organizations that want to contribute without committing large engineering resources; and Associate, for open-source foundations and projects at no cost.

Seed funding comes from Alpha-Omega, an Open Source Security Foundation (OpenSSF) project under the Linux Foundation, backed by Anthropic, AWS, Google, Microsoft, OpenAI, and others, with an annual budget of over $7 million. Microsoft’s Azure CTO Mark Russinovich pointed to Alpha-Omega as proof of what coordinated industry action can achieve.

“OpenSSF and Alpha-Omega demonstrated what is possible when industry comes together to strengthen open source security,” Russinovich says. “Building on our experience co-founding these organizations, Akrites was created to address the emerging inflection point of AI-powered vulnerability discovery and defense.”

YOUTUBE.COM/THENEWSTACK

Tech moves fast, don't miss an episode. Subscribe to our YouTube channel to stream all our podcasts, interviews, demos, and more.

Created with Sketch.