IBM and Red Hat bet $5 billion and 20,000 engineers on Project Lightwell to fix open-source security

Open-source security is a mess - IBM and Red Hat bet $5 billion and 20,000 engineers can fix it

Follow ZDNET: Add us as a preferred source on Google. ZDNET's key takeaways * Lightwell is a huge effort to safeguard open-source software. * IBM and Red Hat are investing in this massive security initiative. * We don't yet know how this subscription-based service will work. AI is a mixed blessing for open-source software. On the one hand, AI can help developers program faster and find bugs more quickly. On the other hand, maintainers are being overwhelmed by the sheer volume of potentially serious bug reports. As Daniel Steinberg, founder and maintainer of the popular open-source data transfer program cURL, recently said, "The rate of incoming security reports is four to five times higher than it was in 2024 and double the speed of 2025." For the first time, he confessed, "I work more than I've done before, but the flood keeps coming." Steinberg is on the verge of burning out. So, he asked for more companies "to fund us" so they could then pay more developers to distribute the workload." Now, IBM and its subsidiary Red Hat have heard the call. Also: Europe's open-source alternative to Microsoft Office and Google Docs launches June 9 Their answer is Project Lightwell, an AI‑powered initiative they described as a "first‑of‑its‑kind force" to find and fix vulnerabilities in open-source software at an industrial scale. Lightwell aims to become a de facto clearinghouse for securing the open-source components that underpin modern enterprise IT. However, the initiative will not pay upstream developers. Instead, Lightwell provides IBM and Red Hat engineers with AI tools to work on important, business-critical open-source projects and make them as secure as possible. Since Anthropic's Mythos Preview model has already identified nearly 3,900 serious security vulnerabilities in open-source software in just a few weeks, the urgent need for faster fixes is crystal clear. To take this step, the two companies will invest $5 billion over the following years to roll out frontier‑scale AI models, tooling, and a global engineering organization dedicated to open-source security. This move isn't just an AI play. The companies will also dedicate 20,000 engineers to treating open-source risk as a first‑order supply chain problem, not a background maintenance chore. Also: Rust will save Linux from AI, says Greg Kroah-Hartman After all, as ZDNET's own David Gerwitz recently pointed out, "traditional application security is no longer enough." It's not even close to being enough. Boosting open-source code security At the heart of Project Lightwell is a new operational model that bridges the gap between enterprises and the upstream communities that build the software they rely on. Rather than launching yet another bug bounty program or code‑scanning service, IBM and Red Hat are pitching Lightwell as a trusted intermediary. That is, businesses will feed the initiative information about the open-source software they run. Then, Lightwell engineers will use AI to hunt for flaws and propose fixes. After that, its engineers will work with upstream maintainers to get patches merged and shipped. The companies said this clearinghouse will combine several functions that today are fragmented across internal security teams, third‑party scanners, and community maintainers. Those functions include large‑scale vulnerability discovery, triage and prioritization, patch development, backporting, and long‑term lifecycle support for the specific versions enterprises actually deploy. If all goes well, this approach will transform the trickle of manual fixes into a high‑throughput remediation pipeline that still respects project governance and open development norms. As Arvind Krishna, IBM's Chairman and CEO, said in a statement, "With Project Lightwell, IBM and Red Hat are helping define a new industry model, one that brings together AI, engineering expertise, and trusted collaboration, to secure open source software at its source and across the entire supply chain." Also: Nearly half of cybersecurity pros want to quit - here's why Lightwell will start with the Maven/Java ecosystem, which witnessed enormous abuse even before AI appeared on the scene. The project will then be expanded across PyPI, npm, Go, and other important open-source codebases. IBM's latest AI models will power Lightwell. These systems will be trained to scan massive codebases, dependency graphs, and configuration archives for potential vulnerabilities, then generate candidate patches that human engineers validate before anything goes upstream or into customer environments. Also: 10 ways AI can inflict unprecedented damage in 2026 The companies argued that this human‑in‑the‑loop approach is essential if AI is to be trusted with security‑critical code. Models can surface patterns and issues that human reviewers would never have time to cover, IBM said. However, final decisions about what constitutes a safe and acceptable fix will remain with experienced engineers and project maintainers. In practice, Lightwell is meant to appear to communities as a particularly large and well‑organized contributor, not as an opaque automation layer dropping unsolicited pull requests. Working with, not around, upstream For Red Hat, Project Lightwell extends a playbook honed for decades. The initiative will take upstream open source, harden and support it for enterprises, and push improvements back to the community. The difference is scope. While Red Hat's traditional model has centered on platforms such as its own products, including Red Hat Enterprise Linux (RHEL), OpenShift, and Ansible, Lightwell will target the sprawling long tail of libraries, frameworks, and tools that quietly underpin everything from banking systems to AI pipelines. Also: Red Hat Desktop vs. Fedora Hummingbird: Which AI development Linux path is right for you? The companies said Lightwell engineers will file issues, propose patches, and co‑maintain critical components alongside existing project leaders rather than forking or replacing them. When upstream maintainers disagree with a fix or decline to support an older branch, Lightwell will still be able to carry hardened backports for its customers. But IBM and Red Hat insisted that the default path is upstream‑first, with the clearinghouse acting as a bridge between enterprise production demands and community release cadences. Supply chain risk as an opportunity At the same time, IBM and Red Hat explicitly said, "These capabilities will be offered through commercial subscriptions, allowing enterprises to integrate secure patches directly into their existing software supply chains with enterprise-grade validation and lifecycle management." These subscriptions are positioned as an overlay on existing software supply chains, not a new distro: Lightwell plugs into Continuous Integration and Continuous Deployment (CI/CD), registries, and Software Bill of Materials (SBOM) processes companies already use, delivering vetted fixes and policy decisions via APIs, catalogs, and integrations. Also: Why business architects are poised to lead the corporate AI revolution IBM's senior VP of software, Rob ⁠Thomas, told Reuters, "The service will launch as a commercial offering in the next 30 days." This subscription, which will probably be priced according to the number of packages used, will provide clients with a "stamp of approval from the clearinghouse that their open source is safe to use in production." That service is all well and good, and certainly the two powerhouse companies will be investing a ton of money and deserve to make a profit, but how do the upstream open-source developers and their businesses fit into this new approach? Will this proposed trusted enterprise clearinghouse become a de facto gatekeeper for big companies? If the patches are all placed in upstream repositories, what, exactly, will customers be paying for? Those are all good questions, and right now there are no good answers. Stay tuned.

IBM and Red Hat want to become the 'security clearinghouse' for open source applications in the enterprise

IBM and Red Hat are betting that a new initiative, Project Lightwell, can help accelerate this process. Announced today, the project will commit $5 billion and 20,000 IBM and Red Hat engineers to build a new 'enterprise clearinghouse' to accelerate discovery and remediation of vulnerabilities in open source software. The companies say the clearinghouse will serve as an AI-powered "security coordination layer," giving enterprises the ability to integrate patches directly into their existing software supply chains. Now in the design phase with a group of 11 financial partners, Project Lightwell will eventually be offered as a commercial subscription. "The advancement in AI tools has broken the patching map, which is the ability to discover vulnerabilities in software without losing the speed of remediation," Ashesh Badani, Red Hat SVP and CPO, told CSOonline. "Everyone's running open source software, and the challenge is not being able to fix vulnerabilities quickly enough." Closing the remediation gap Open source security issues have been well documented: Almost 50,000 common vulnerabilities and exposures (CVEs) were published in 2025, and Anthropic's Project Glasswing, powered by its Mythos Preview model, found roughly 3,900 previously undiscovered high or critical severity vulnerabilities in open source software shortly after launch.

Exclusive: IBM launches $5 billion AI push to combat cyber threats

Why it matters: AI is supercharging cyberattacks, pushing companies to adopt the same technology to defend against threats. Driving the news: "Project Lightwell" -- the new initiative by IBM and Red Hat, its open source software subsidiary -- uses frontier AI capabilities to establish a "clearinghouse" to identify and fix vulnerabilities at scale. IBM and Red Hat's new "Project Lightwell" uses frontier AI capabilities to establish a "clearinghouse" to identify and fix vulnerabilities at scale. * Bank of America, JPMorganChase, Visa, Mastercard, Wells Fargo and Morgan Stanley are early adopters of the platform. How it works: Red Hat's cyber tools have focused on software running within Red Hat platforms. * Project Lightwell expands those protections to a broader set of open source technologies, including AI frameworks, coding libraries and data streaming platforms such as Apache Kafka. * Part of the $5 billion is going toward the 20,000 engineers, who are all current IBM employees and will be dedicated to the project full-time. What we're watching: IBM CEO Arvind Krishna said he expects the government to be very interested in a solution like Project Lightwell: "We believe that at least some people in the government are looking for the private sector to step up with an answer like this." * "Over the last few weeks, ever since Mythos came out, there have been a lot of conversations with very senior levels of the government. We did put forward that something like this could be one of the potential responses, so that has been discussed," Krishna said. * The White House last week pulled an AI executive order following internal disagreements over how exactly to address cybersecurity fears and to what extent AI should be regulated. * Krishna said he also expects the project to expand beyond the financial sector in a matter of days or weeks, not months. The big picture: More than 90% of Fortune 500 companies rely on open source software, while the AI boom has fueled a dramatic increase in the volume of open source code.

IBM, Red Hat launch $5B Project Lightwell to boost open-source security

IBM, Red Hat launch $5B Project Lightwell to boost open-source security IBM Corp. and its Red Hat subsidiary today launched an initiative called Project Lightwell to improve the security of open-source projects. Project Lightwell is backed by a $5 billion commitment. In addition, IBM and Red Hat will assign more than 20,000 engineers to the initiative. Red Hat, which became part of IBM through a 2019 acquisition, sells a popular Linux distribution called RHEL. Its code is publicly available, but organizations must buy a license to use it in software projects. Red Hat also develops other open-source tools that automate tasks such as configuring cloud infrastructure. The Linux distributor has long operated a program through which its engineers find and fix vulnerabilities in its software. Project Lightwell will extend IBM's work in that area beyond the Red Hat product portfolio to the broader open-source ecosystem. According to the company, the goal is to help enterprises remediate vulnerabilities in the open-source tools that power their software. IBM will provide access to Project Lightwell through subscriptions. When developers integrate an open-source project into an application, they often don't use the latest version of the component. Even when they do use the latest version, there is a risk that the component will become outdated in the future due to a lack of updates. That can create challenges if a vulnerability is discovered in the project. In many cases, cybersecurity patches aren't immediately available for legacy versions of an open-source tool. Moreover, there are situations where installing a patch requires updating the affected tool to the latest release. That can necessitate significant code changes to the application in which the component is installed. The IBM and Red Hat engineers assigned to Project Lightwell will use artificial intelligence to find vulnerabilities in open-source projects. From there, they will develop patches and backport them to the specific open-source project versions used by customers. IBM says that the backported patches will remove the need for companies to upgrade open-source components to the latest version. Project Lightwell will also encompass certain other initiatives. IBM and Red plan to disclose vulnerabilities discovered by their engineers to the maintainers of the affected open-source projects. They will create a "trusted intermediary framework" to facilitate such information sharing. "Project Lightwell, IBM and Red Hat are helping define a new industry model, one that brings together AI, engineering expertise, and trusted collaboration, to secure open source software at its source and across the entire supply chain," said IBM Chief Executive Officer Arvind Krishna. Project Lightwell may create more competition for software supply chain security startups such as Chainguard Inc. and Socket Inc. The former company, which raised $280 million last year, provides hardened versions of open-source projects. Socket sells tools that make it easier for developers to install open-source patches and ease certain related tasks.

IBM commits $5 billion to secure open-source software

The initiative, called Project Lightwell, seeks to create a "clearinghouse" for open source security, establishing a model for managing risks across the software supply chain. IBM said on Thursday it has committed $5 billion to an initiative that will deploy engineers and AI tools to help companies better secure open source software. The initiative, called Project Lightwell, seeks to create a "clearinghouse" for open source security, establishing a model for managing risks across the software supply chain. Open source ⁠software ⁠is freely available code that anyone can use and modify, and powers the technology systems of most companies. Its widespread use, however, has made it a prime target for hackers at a time when AI is making it easier for bad actors to find and exploit security flaws. IBM and its hybrid cloud unit Red ⁠Hat have piloted the initiative with a few companies, including Bank of America, JPMorgan Chase and Visa, to refine how the ⁠system identifies and fixes vulnerabilities across complex enterprise software. The service will launch "as a commercial offering in the next 30 days," IBM's senior vice president of software, Rob Thomas, told Reuters. Thomas said the service, offered via subscriptions likely priced by the number of packages used, provides clients with a "stamp of approval from the clearinghouse that their open source is safe to use in production." Project Lightwell will be a central hub where companies can confidentially report security flaws, receive tested fixes and share ⁠those fixes with the broader open source community. Designed to secure software across its full life cycle - from development through to production environments - it will allow businesses to plug vetted security patches directly into their existing systems. Project Lightwell expands Red Hat's traditional approach of securing software within its own platforms to cover a broader ecosystem of independent open source components, including libraries and AI frameworks.

IBM, Red Hat Pledge $5 Billion for AI-Driven Open Source Security Initiative

International Business Machines and Red Hat have committed $5 billion to establish a new model for open-source software, aiming to secure software supply chains for enterprises. Under the new project, dubbed Project Lightwell, the companies said Thursday they will deploy a global force of 20,000 engineers, supported by advanced artificial intelligence, to establish a trusted enterprise clearinghouse. The clearinghouse will serve as a security coordination layer, using advanced AI capabilities to identify, test and fix security vulnerabilities across massive volumes of open-source code. The capabilities will be available through commercial subscriptions, allowing enterprises to report bugs within open-source frameworks and receive validated, production-ready patches that can be directly integrated into their software supply chains. IBM said that more than 90% of Fortune 500 companies currently rely heavily on open-source software, with new AI models making it easier for bad actors to find and exploit software vulnerabilities. IBM and Red Hat added they have already begun collaborating with a select group of early adopters on Project Lightwell, including Bank of America, Citi, Goldman Sachs, Morgan Stanley, Visa and Wells Fargo. "Open source is the backbone of today's digital economy and the foundation of modern AI, and we are at an inflection point in how it is built, secured and scaled," IBM Chief Executive Arvind Krishna said. "With Project Lightwell, IBM and Red Hat are helping define a new industry model, one that brings together AI, engineering expertise and trusted collaboration, to secure open source software at its source and across the entire supply chain," he added.