IBM and Red Hat announce $5 billion Project Lightwell for open source security in AI era

IBM and Red Hat announced on May 28 Project Lightwell, a $5 billion initiative aimed at securing open source software with the support of more than 20,000 engineers and advanced artificial intelligence capabilities. The project is designed to create a new model for enterprise use of open source software by establishing a trusted clearinghouse to identify and address vulnerabilities across production environments.

Project Lightwell will serve as a security coordination layer that uses AI to validate and test fixes for large volumes of open source code. These services will be offered through commercial subscriptions, allowing enterprises to integrate secure patches into their existing software supply chains with enterprise-grade validation and lifecycle management.

The companies reported that over 90% of Fortune 500 companies rely on open source software. They cited recent findings from Anthropic’s Mythos Preview model, which identified nearly 3,900 high- or critical-severity vulnerabilities in open source projects. IBM and Red Hat have already begun collaborating with early adopters such as Bank of America, Citi, Goldman Sachs, JPMorgan Chase, Mastercard, Morgan Stanley, Royal Bank of Canada, State Street, Visa, and Wells Fargo.

Arvind Krishna, Chairman and CEO of IBM, said: “Open source is the backbone of today’s digital economy and the foundation of modern AI, and we are at an inflection point in how it is built, secured, and scaled. With Project Lightwell, IBM and Red Hat are helping define a new industry model, one that brings together AI, engineering expertise, and trusted collaboration to secure open source software at its source and across the entire supply chain. This is about strengthening trust in the systems that power business, government, and society.”

The initiative builds on IBM’s experience managing more than 62,000 open source packages across technologies like Linux and Kubernetes. Through Project Lightwell’s clearinghouse model, enterprises can report vulnerabilities within a trusted framework; receive validated patches optimized for production; coordinate upstream disclosures; engage IBM or Red Hat directly for critical issues; while contributing fixes back to community maintenance efforts.

IBM stated it would deploy its global technical force alongside advanced AI tools to support vulnerability review processes as well as patch development at scale. The company emphasized this approach supports government priorities around securing digital infrastructure.