In one of the most significant initiatives that will ensure the safety of the basic infrastructure of the world’s economy through digital means, IBM and Red Hat have unveiled Project Lightwell today. This $5 billion project integrates futuristic frontier artificial intelligence with over 20,000 engineers to re-establish the security of open source software. By pooling together such substantial resources, the companies are setting up the first-of-its-kind complete mechanism for ensuring security in open source code from upstream developer networks all the way down to production operations.
The new Project Lightwell includes a trusted enterprise clearinghouse which aims to locate, validate and fix potential vulnerabilities in software on a massive scale. Serving as a security coordination layer, this will use futuristic AI algorithms to extensively evaluate patches on large volumes of open source repositories. Through subscriptions to this service, enterprises will be able to integrate the patches into their operational software supply chain without compromising on its full lifecycle management.
This program comes at a very crucial time for digital infrastructures within corporations. In today’s world, open source software forms the backbone of any business process; over 90% of companies in the Fortune 500 list utilize open source software. At the same time, the rapid development in frontier AI models has increased the rate of finding flaws in software codes considerably. According to a recent report by Anthropic, the Mythos Preview model identified about 3,900 vulnerabilities in open source software.
Also Read: Qlik and Starburst Announce Strategic Alliance to Transform Fragmented Corporate Data into Governed, AI-Ready Intelligence
In order to achieve instant real-world impact, IBM and Red Hat have already started using Project Lightwell with a carefully selected group of experts from the financial services industry and the technology sector. The companies taking part in this project at the beginning stages of its implementation include Bank of America, BNY, Citi, Goldman Sachs, JPMorganChase, Mastercard, Morgan Stanley, Royal Bank of Canada, State Street, Visa, and Wells Fargo.
Project Lightwell builds upon the long-standing leadership of IBM and Red Hat in open source technology, enterprise AI, and cybersecurity. The project integrates critical industry insights from parallel initiatives, such as Anthropic’s Project Glasswing and OpenAI’s Trust Access for Cyber, with the specific intent of deploying new IBM agentic security methodologies to safeguard the fundamental open source layers powering modern business and AI networks.
“Open source is the backbone of today’s digital economy and the foundation of modern AI, and we are at an inflection point in how it is built, secured, and scaled,” said Arvind Krishna, Chairman and CEO, IBM. “With Project Lightwell, IBM and Red Hat are helping define a new industry model, one that brings together AI, engineering expertise, and trusted collaboration, to secure open source software at its source and across the entire supply chain. This is about strengthening trust in the systems that power business, government, and society.”
Establishing a Trusted Open Source Security Clearinghouse
Project Lightwell expands the proven enterprise open source delivery model developed by IBM and Red Hat, reaching far beyond their traditional product portfolios. IBM currently utilizes more than 62,000 open source software packages, maintaining deep technical expertise in over 10,000 of them. The two organizations already manage one of the technology sector’s most expansive commercial ecosystems covering foundational infrastructure like Linux, Java, Kubernetes, Kafka, Ansible, Terraform, Flink, Cassandra, and more where they have historically provided enterprise lifecycle management, validation, and patching.
With Project Lightwell, the companies are extending this exact engineering rigor to the broader application ecosystem, encompassing independent code libraries, language toolchains, data streaming platforms, and AI frameworks.
This centralized clearinghouse model aims to alleviate the operational strain that enterprises experience when trying to track, patch, and manage independent open source code manually.
Through this infrastructure, subscriber organizations can:
- Report and Resolve Vulnerabilities: Securely share sensitive code vulnerabilities detected within active corporate software versions through a trusted, intermediary coordination layer.
- Deploy Validated Patches: Gain access to production-ready patches optimized for performance, spanning both standalone community code and Red Hat environments.
- Coordinate Upstream Disclosures: Streamline the submission of fixes back to original open source communities to ensure long-term ecosystem maintenance and security.
Such a collaborative environment allows businesses to take advantage of the specialized remediation services from IBM and Red Hat, at the same time helping the open source community become more resilient by making responsible upstream disclosures.
Human Engineering Amplified by Advanced AI
While many participants across the technology landscape are leveraging artificial intelligence to scale down engineering headcounts, IBM and Red Hat are pursuing a contrasting strategy. The companies view deep technical engineering expertise as a premium strategic asset and a critical source of competitive differentiation.
To drive Project Lightwell, IBM and Red Hat will deploy a dedicated global task force of more than 20,000 engineers, enhanced by advanced AI tools. This technical workforce will focus their efforts across both corporate environments and upstream open source communities, prioritizing three core pillars:
- Active upstream maintenance in close alignment with open source project leaders;
- High-velocity, AI-assisted review, triage, and prioritization of software vulnerabilities;
- The engineering of secure patches, dependency hardening, and resilient release cycles.
Furthermore, Project Lightwell aligns with broader public-sector objectives to safeguard digital infrastructure, defend critical systems, and elevate the cybersecurity posture of open source ecosystems worldwide.
