IBM and Red Hat believe they have the answer to open source security risks

IBM and its subsidiary Red Hat are pumping $5 billion into improving the security of open-source projects.

Project Lightwell is designed as an enterprise clearinghouse for open source software, with a new AI-driven model for securing the software supply chain.

The idea is to use advanced AI capabilities, offered through commercial subscriptions, to validate and test fixes across a huge volume of open source code. Enterprises will be able to integrate secure patches directly into their existing software supply chains, say the firms, with enterprise-grade validation and lifecycle management.

They can report and resolve vulnerabilities, receive patches optimized for production environments, spanning both Red Hat offerings and independent community code, and share fixes upstream so that open source communities can include them in long-term maintenance.

Latest Videos From

And all this will be backed by a team of more than 20,000 engineers working across upstream and enterprise environments. The focus will be on upstream maintenance alongside open source community leaders; high-volume, AI-assisted vulnerability review, triage, and prioritization; and secure patch development, dependency hardening, and release engineering.

"Open source is the backbone of today's digital economy and the foundation of modern AI, and we are at an inflection point in how it is built, secured, and scaled," said Arvind Krishna, chairman and CEO of IBM.

"With Project Lightwell, IBM and Red Hat are helping define a new industry model, one that brings together AI, engineering expertise, and trusted collaboration, to secure open source software at its source and across the entire supply chain. This is about strengthening trust in the systems that power business, government, and society."

IBM and Red Hat are already working with a group of early adopters on Project Lightwell, including Bank of America, BNY, Citi, Goldman Sachs, JPMorganChase, Mastercard, Morgan Stanley, Royal Bank of Canada, State Street, Visa, and Wells Fargo.

"The real-world insights from these initial deployments will actively shape how vulnerabilities are identified, validated, and remediated at scale across complex software supply chains," the firms said.

More than nine-in-ten Fortune 500 companies rely on open source software - but security is an ever-present problem. Sonatype identified 454,648 malicious open source packages in 2025, up 67% on the previous year, with one state-linked group alone tied to more than 800 malicious packages.

Meanwhile, according to Black Duck, 86% of codebases contain open source vulnerabilities, with 81% of those classified as high or critical risk, up from 74% in the previous year.

"Most enterprises cannot keep up with the volume, complexity, and speed of risk. AI-driven vulnerability discovery is accelerating both the volume and speed of CVE creation, compounding an already unsustainable remediation gap," said IBM.

"Project Lightwell delivers validated fixes to the specific open source versions organizations already run. By combining large-scale engineering, AI, and a coordinated clearinghouse model, it enables organizations to move from detection to remediation without disrupting stability, certification, or compliance requirements."