IBM and Red Hat have introduced Project Lightwell, a $5 billion initiative supported by frontier AI capabilities and a global team of more than 20,000 engineers aimed at strengthening the security of open source software for enterprises. This investment establishes a new enterprise model for open source adoption, spanning everything from upstream development to production environments.
At the core of Project Lightwell is the creation of a trusted enterprise clearinghouse, backed by a worldwide engineering workforce, to identify and remediate vulnerabilities at scale. The clearinghouse will function as a central security coordination layer, leveraging advanced AI to validate and test fixes across vast volumes of open source code. These capabilities will be delivered through commercial subscriptions, enabling organizations to seamlessly integrate secure patches into their software supply chains with enterprise-grade validation and lifecycle management.
Open source software is foundational to modern enterprise infrastructure, with over 90% of Fortune 500 companies depending on it. However, rapid advances in frontier AI are accelerating both the discovery and exploitation of vulnerabilities. Anthropic recently reported that its Mythos Preview model uncovered nearly 3,900 high- or critical-severity vulnerabilities in open source software alone.
IBM and Red Hat have already begun collaborating with a select group of early adopters on Project Lightwell, including Bank of America, BNY, Citi, Goldman Sachs, JPMorganChase, Mastercard, Morgan Stanley, Royal Bank of Canada, State Street, Visa and Wells Fargo. The real-world insights from these initial deployments will actively shape how vulnerabilities are identified, validated, and remediated at scale across complex software supply chains.
Project Lightwell builds on IBM and Red Hat’s leadership in open source, enterprise AI and security, and incorporates learnings from initiatives such as Anthropic’s Project Glasswing and OpenAI’s Trust Access for Cyber, with a goal of utilizing new IBM agentic security methods to protect the foundational open source layers that underpin modern enterprise and AI systems.
“Open source is the backbone of today’s digital economy and the foundation of modern AI, and we are at an inflection point in how it is built, secured, and scaled,” said Arvind Krishna, Chairman and CEO, IBM. “With Project Lightwell, IBM and Red Hat are helping define a new industry model, one that brings together AI, engineering expertise, and trusted collaboration, to secure open source software at its source and across the entire supply chain. This is about strengthening trust in the systems that power business, government, and society.”
Launching a Trusted Open Source Security Clearinghouse
Project Lightwell builds on IBM and Red Hat’s proven enterprise open source model, extending it beyond their traditional product footprint. IBM already uses more than 62,000 open source packages, with deep expertise in over 10,000. Across technologies like Linux, Java, Kubernetes, Kafka, Ansible, Terraform, Flink, Cassandra and more, the companies operate one of the industry’s broadest commercial open source ecosystems, historically providing lifecycle management, validation, and patching for components within their platforms. Now, IBM and Red Hat are applying the same engineering discipline to the broader application landscape, including independent libraries, language toolchains, AI frameworks, and data streaming platforms.
This approach directly addresses the operational vulnerabilities enterprises face when managing independent open source code on their own. Through the clearinghouse model, enterprise organizations can:
* Report and resolve vulnerabilities: Responsibly share sensitive security issues discovered in their active software versions within a trusted intermediary framework.
* Deploy validated patches: Receive patches optimized for production environments, spanning both Red Hat offerings and independent community code.
* Coordinate upstream disclosures: Share fixes upstream so that open source communities can include them in long-term maintenance.
This model allows enterprises to engage IBM and Red Hat to resolve critical security issues while strengthening open source overall through responsible upstream disclosure.
AI-Powered Engineering at Global Scale
At a time when many technology companies are using AI to reduce technical headcount, IBM and Red Hat are taking a different approach, positioning technical engineering capacity as a premium strategic asset and a source of market differentiation.
IBM and Red Hat will deploy a team of more than 20,000 engineers, augmented by advanced AI capabilities. This global technical force will operate across upstream and enterprise environments, focusing on:
* Upstream maintenance alongside open source community leaders;
* High-volume, AI-assisted vulnerability review, triage, and prioritization;
* Secure patch development, dependency hardening, and release engineering.
Project Lightwell supports government priorities to secure digital infrastructure, protect critical systems, and strengthen the overall resilience of open source software ecosystems.
