IBM and Red Hat have announced Project Lightwell, a $5 billion initiative designed to secure open-source software used across enterprise infrastructure, cloud platforms, and AI systems.
IBM describes the project as a trusted enterprise clearinghouse for open-source software security. It integrates AI-assisted vulnerability analysis with a global team of over 20,000 IBM and Red Hat engineers to identify, validate, patch, and coordinate fixes across open-source supply chains.
“Project Lightwell will establish a trusted enterprise clearinghouse combined with a global force of engineers to identify and fix vulnerabilities at scale. The clearinghouse will serve as a security coordination layer, using advanced AI capabilities to validate and test fixes across an unprecedented volume of open source code.”
The project targets enterprises rather than the general open-source community. IBM will offer the service through commercial subscriptions, enabling organizations to integrate validated security patches into their software supply chains with lifecycle management and production-grade testing.
IBM and Red Hat state that the project will cover a wide range of technologies, including Linux, Java, Kubernetes, Kafka, Ansible, Terraform, Flink, Cassandra, independent libraries, language toolchains, AI frameworks, and data streaming platforms.
The clearinghouse model focuses on three main functions: enabling enterprises to report sensitive vulnerabilities in their software, providing validated patches for both Red Hat and independent community code, and coordinating upstream disclosure so fixes are shared with open-source projects.
IBM positions the initiative as a response to the increasing reliance on open-source software in modern infrastructure and the rapid pace at which AI tools can identify and exploit vulnerabilities. The company notes widespread open-source adoption among Fortune 500 organizations and references recent AI-assisted vulnerability research as evidence of rising security pressures on software supply chains.
Project Lightwell is currently being piloted with early adopters in the financial sector, including Bank of America, BNY, Citi, Goldman Sachs, JPMorgan Chase, Mastercard, Morgan Stanley, Royal Bank of Canada, State Street, Visa, and Wells Fargo. IBM states that feedback from these deployments will inform large-scale vulnerability identification, validation, and remediation.
For Red Hat, a leading open-source provider, this extends its established business model of enterprise-supported open source. While Red Hat already manages lifecycle, validation, and patching for its own platform components, Project Lightwell applies these engineering processes to open-source components beyond its traditional product boundaries.
IBM states that engineering teams will use AI-assisted review, triage, and prioritization to manage vulnerabilities at scale, while also focusing on upstream maintenance, patch development, dependency hardening, and release engineering.
Finally, the announcement clarifies that Project Lightwell is not intended to replace upstream maintainers or existing open-source security processes. Instead, IBM and Red Hat present it as an enterprise coordination and validation layer connecting companies that rely on open-source software with the upstream communities that maintain it.
For additional details, see IBM’s announcement.
