IBM and Red Hat announced Project Lightwell, a $5 billion initiative designed to strengthen the security of open source software through a combination of advanced AI capabilities and a global workforce of more than 20,000 engineers. The effort introduces a new enterprise-focused model for securing software supply chains, spanning everything from upstream development to production environments.
Project Lightwell will establish a trusted open source security clearinghouse that serves as a coordination layer for identifying, validating, and remediating vulnerabilities at scale. Using AI-powered analysis and testing, the platform will help organizations validate security fixes across large volumes of open source code. These capabilities will be delivered through commercial subscriptions, enabling enterprises to integrate validated patches directly into their software supply chains while maintaining enterprise-grade lifecycle management.
The initiative comes as open source software continues to serve as a critical foundation for modern enterprise infrastructure and AI systems. IBM and Red Hat noted that more than 90% of Fortune 500 companies rely on open source software, while advances in frontier AI are accelerating both vulnerability discovery and exploitation.
IBM and Red Hat have already begun working with an initial group of organizations participating in Project Lightwell, including Bank of America, BNY, Citi, Goldman Sachs, JPMorganChase, Mastercard, Morgan Stanley, Royal Bank of Canada, State Street, Visa, and Wells Fargo. Feedback from these deployments will help shape how vulnerabilities are identified, validated, and remediated across complex enterprise software environments.
The companies said Project Lightwell builds on their longstanding involvement in open source technologies and incorporates lessons from industry initiatives focused on AI-enabled cybersecurity. The effort aims to strengthen the security of foundational open source components that underpin enterprise applications and AI systems.
Project Lightwell expands IBM and Red Hat’s existing enterprise open source model beyond their traditional product offerings. IBM currently utilizes more than 62,000 open source packages and maintains expertise across more than 10,000 projects. The companies plan to apply their engineering practices for lifecycle management, validation, and patching to a broader ecosystem that includes independent libraries, language toolchains, AI frameworks, and data streaming platforms.
Through the clearinghouse model, enterprises will be able to report vulnerabilities through a trusted intermediary framework, receive production-ready validated patches, and coordinate responsible upstream disclosures with open source communities. IBM and Red Hat said this approach enables organizations to address security issues while contributing improvements back to the broader open source ecosystem.
To support the initiative, IBM and Red Hat will deploy more than 20,000 engineers augmented by AI-driven capabilities. The teams will focus on upstream maintenance, AI-assisted vulnerability triage and prioritization, secure patch development, dependency hardening, and release engineering.
The companies said Project Lightwell aligns with broader efforts to improve digital infrastructure security and increase the resilience of open source software ecosystems that support governments, enterprises, and critical industries worldwide.
KEY QUOTES:
“Open source is the backbone of today’s digital economy and the foundation of modern AI, and we are at an inflection point in how it is built, secured, and scaled. With Project Lightwell, IBM and Red Hat are helping define a new industry model, one that brings together AI, engineering expertise, and trusted collaboration, to secure open source software at its source and across the entire supply chain. This is about strengthening trust in the systems that power business, government, and society.”
Arvind Krishna, Chairman and CEO, IBM
