For most of my career, software security has been treated as an individual responsibility.
Organizations secure their own systems, investigate their own findings, patch their own applications, and measure success by how quickly they can identify and respond to risk inside their own environment.
That approach made sense when software was more self-contained. It makes less sense in a world built on open source.
Today, thousands of organizations depend on the same components. The same libraries run inside banks, hospitals, governments, cloud platforms, AI systems, and critical infrastructure. When a vulnerability appears in one of those components, the impact does not stay neatly inside one company's perimeter. The same flaw can ripple through the dependency graph of the modern world.
The industry still tends to respond to open source vulnerabilities as though every organization is fighting a separate battle. In reality, many of us are fighting over the same terrain.
A vulnerability in a widely used library can trigger hundreds or thousands of independent investigations. Security teams scan for exposure. Researchers validate impact. Vendors assess products. Maintainers receive reports. Consultants publish guidance. Enterprises begin remediation planning.
Some of that work is valuable. A lot of it is duplicated. The same flaw is discovered repeatedly. The same analysis is performed repeatedly. The same fixes are developed repeatedly. At small scale, that inefficiency is manageable. At ecosystem scale, it creates drag on the system.
AI is about to make that drag much worse.
Artificial intelligence did not create this issue. It exposed it.
For years, vulnerability discovery was constrained by expertise, time, and human effort. Finding a serious flaw in a major project often required deep knowledge of the codebase and weeks of investigation. That assumption is changing quickly.
AI-assisted discovery lowers the cost of finding vulnerabilities. More organizations can perform more analysis against more codebases than ever before. That is good news for defenders, on the surface.
If fifty organizations independently discover the same vulnerability, the ecosystem does not become fifty times safer. Likely, one maintainer still has to understand the issue. They must develop the fix. Testing still has to occur. Disclosure still has to be coordinated.
Discovery scales much faster than repair. As the cost of finding vulnerabilities falls, coordination becomes the scarce resource.
This is the part of the AI security conversation that deserves more attention. Most of the public debate focuses on whether AI helps attackers or defenders more. The answer is probably both, depending on who is using it and how. But regardless of who finds the flaw first, the hard part remains the same: getting from discovery to a responsible fix that reaches the people who depend on the software.
That path is already fragile; AI makes it more crowded.
Open source has always benefited from collective investment in development. Collective investment in security will have the same effect.
When thousands of organizations depend on the same component, there is little value in each of them independently rediscovering the same problem and building parallel remediation efforts. The ecosystem benefits more when expertise, resources, and effort can be coordinated around a common objective.
This does not require taking control away from maintainers. Quite the opposite.
The point should be to reduce the burden on maintainers by giving them a more predictable way to work with organizations that depend on their projects.
The organizations that consume open source at a massive scale have resources that many maintainers do not. They have security teams, engineering capacity, infrastructure, and funding. Historically, those capabilities have often been applied independently. The next phase of open source security will require applying them collectively.
That will feel uncomfortable for parts of the industry. Security has long been treated as a competitive function. Companies protect their own products, their own customers, and their own environments.
But open source cuts across those boundaries.
A vulnerable component deep in the dependency graph may sit underneath competitors, partners, vendors, customers, and critical infrastructure at the same time.
At that point, pretending the problem belongs to one organization stops making sense.
This is one reason I find initiatives like Akrites important — they are not silver bullets, and coordination itself is not a new idea. What has changed is the scale and speed of the problem.
The industry is entering an era where multiple organizations may discover the same vulnerability within minutes or hours of one another. Without coordination, that creates noise, duplicated effort, fragmented fixes, and increased disclosure risk. With coordination, it creates an opportunity to accelerate repair while reducing the burden on maintainers.
The goal should not be more findings for their own sake. The goal should be better outcomes for the ecosystem.
A coordinated remediation effort can often do more for open source security than dozens of isolated investigations operating independently. If the same vulnerability reaches thousands of organizations through the same component, then a well-coordinated upstream fix has enormous leverage.
That is the promise of collective defense for open source. It aligns effort with the way risk actually moves through the software supply chain.
Open source became the foundation of modern software because collaboration scaled development. The future of security will still require maintainers, researchers, vendors, enterprises, governments, and foundations. Increasingly, it will also require mechanisms that allow those groups to work together rather than in parallel.
For years, organizations have consumed the same open source components while largely defending them independently. That model is becoming harder to sustain.
AI is accelerating vulnerability discovery, but the deeper story is how clearly it reveals our shared dependence on the same software infrastructure. When the risk is shared, the defense has to become more shared as well.
Open source won because collaboration scaled software development. The next challenge is making collaboration scale software security.
Further reading:
Public Registries Are Not a Free Extension of Your Internal Platform
Beyond IPs: Addressing Organizational Overconsumption in Maven Central
Free Isn't Free: The Hidden Costs of Tooling Decisions in Open Source Infrastructure
From Abuse to Alignment: Why We Need Sustainable Open Source Infrastructure
Open Infrastructure Is Not Free: A Joint Statement on Sustainable Stewardship