IBM and Red Hat on May 28 launched Project Lightwell, a $5 billion investment backed by a global workforce of more than 20,000 engineers focused on solving open-source security.The news was mostly well-received by security pros, who point out that open-source software has been the target of any number of high-profile security cases, including Mini Shai Hulud, Log4j, and SolarWinds.While not as massive as the most celebrated cases, hardly a week goes by that the industry doesn’t face some important open-source software incident. Project Lightwell aims to find some answers to these ongoing challenges by creating a clearinghouse in which a massive team of engineers work to identify and fix open-source vulnerabilities.“Open-source is the backbone of today’s digital economy and the foundation of modern AI, and we are at an inflection point in how it is built, secured, and scaled,” said Arvind Krishna, Chairman and CEO, IBM. “With Project Lightwell, IBM and Red Hat are helping define a new industry model, one that brings together AI, engineering expertise, and trusted collaboration, to secure open-source software at its source and across the entire supply chain.”IBM and Red Hat have already begun collaborating with a group of early adopters in the financial services industry, including Bank of America, BNY, Citi, Goldman Sachs, JPMorganChase, Mastercard, Morgan Stanley, Royal Bank of Canada, State Street, Visa, and Wells Fargo. According to IBM and Red Hat, Project Lightwell will build on its many years of work in the open-source field and will incorporate lessons learned from recent AI initiatives such as Anthropic’s Project Glasswing and OpenAI’s Trust Access for Cyber. Jacob Warner, director of IT at Xcape, Inc, said this $5 billion commitment by IBM and Red Hat marks a structural transition from passive vulnerability scanning to active, high-volume supply chain triage. Warner said Project Lightwell is not an act of software philanthropy: it’s a highly calculated, commercial insurance model for open-source software.“By organizing an AI-driven ‘enterprise clearinghouse’ backed by a massive technical army of 20,000 engineers, IBM and Red Hat are establishing a paid validation layer to sit between vulnerable upstream community repositories and production enterprise environments,” said Warner. “Security executives must recognize that Project Lightwell establishes a new standard for third-party risk management."Going forward, organizations cannot simply trust open-source ecosystems natively," Warner continued. "They must either budget for commercial assurance brokers to validate their dependencies or build highly mature, internal staging environments capable of continuously testing and deploying AI-generated hotfixes without shattering production stability.”Diana Kelley, chief information security officer at Noma Security, added that the industry needs this kind of timely investment because open source has become foundational to modern software. However, Kelley said we can’t address open-source security one vulnerable package at a time.“It needs a trusted supply chain approach, and an AI-powered clearinghouse where vulnerabilities can be reported confidentially, fixes can be validated, and improvements can flow back to the community could move the whole model forward,” said Kelley. "Efforts, such as Microsoft MDASH and Anthropic’s Project Glasswing demonstrate that AI is becoming a serious defender-side capability for vulnerability discovery and remediation. Project Lightwell brings that momentum to the specific challenge of scaling tested fixes across the OSS ecosystem without every enterprise having to solve the same problem alone.”Ryan McCurdy, vice president at Liquibase, said what makes Project Lightwell different is not just the $5 billion number — it’s the recognition that open-source security can no longer rely on community-speed response times when AI has accelerated vulnerability discovery and exploitation.“Discovery is speeding up, attacker pressure is rising, and most open-source ecosystems that underpin large enterprises still do not come with guaranteed SLAs for fixing critical flaws,” said McCurdy. “IBM and Red Hat are putting real scale behind that gap. Anthropic’s Project Glasswing points in a similar direction, even if the model is different. I would expect more of these efforts, especially from vendors closest to infrastructure, cloud, software delivery, and security operations.”
AI/ML, Generative AI
IBM, Red Hat launch Project Lightwell to secure open-source software

(Adobe Stock)
An In-Depth Guide to AI
Get essential knowledge and practical strategies to use AI to better your security program.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
Related Terms
AlgorithmYou can skip this ad in 5 seconds



