Norman Chan / Shutterstock
Open source code is ubiquitous in companies; It is estimated that more than 90 percent of Fortune 500 companies use it in their software supply chains. However, open source code is notoriously full of vulnerabilities and finding and fixing these bugs can become a never-ending battle for security teams.
IBM and Red Hat are betting that a new initiative, Project Lightwell, can help accelerate this process. As part of the project, the two companies want to provide five billion dollars and 20,000 engineers from IBM and Red Hat to create a kind of “clearing house” for companies.
According to the companies, this will serve as an AI-powered “security coordination layer” and give companies the ability to integrate patches directly into their existing software supply chains.
“Project Lightwell” is currently in the concept phase with a group of eleven financial partners and will later be offered as a commercial subscription.
“Advances in AI tools have revolutionized the patching landscape – the ability to discover software vulnerabilities without sacrificing remediation speed,” Ashesh Badani, senior vice president and chief product officer at Red Hat, told CSOonline. “Everyone uses open source software and the challenge is not being able to fix vulnerabilities quickly enough.”
Closing the vulnerability remediation gap
The security problems in open source software are well documented: nearly 50,000 Common Vulnerabilities and Exposures (CVEs) were published in 2025, and Anthropic’s Project Glasswing, based on the Mythos Preview model, found around 3,900 previously undetected high or critical severity vulnerabilities in open source software shortly after launch.
IBM operates one of the largest commercial open source ecosystems, leveraging more than 62.000Software packages in environments such as Linux, Kubernetes, Kafka, Terraform and Java. The company already offers lifecycle management, validation and patching there.
With Project Lightwell, these principles will now be extended to AI frameworks, independent libraries, language toolchains and data streaming platforms. The goal is to provide validated security fixes to open source code already deployed in enterprise environments – without affecting stability, certifications or compliance requirements.
According to IBM, this does not require any upgrades or access to the source code. Project Lightwell will backport security fixes to the exact dependency versions that have already been tested and deployed. The solution works based on configuration files like pom.xmlso the code remains within the controlled corporate environment. The initial focus is on Java/Maven, later PyPI, npm, Go and other platforms will also be supported.
Discrete troubleshooting possible
Companies will also be able to share sensitive vulnerabilities under embargo through a “secure intermediary model” and receive validated patches that cover Red Hat platforms and independent community code. Additionally, they can deploy fixes across dependency chains, report and fix issues in active production environments, and push fixes to the upstream community for integration.
“We want to make sure that any fixes we make available to companies through the clearinghouse find their way back into the open source projects that developed (the code),” explains Badani. “For example, if a piece of Python code has been patched, the fix should be delivered back to the Python community quickly.”
Using advanced AI and working with leading open source contributors, IBM and Red Hat engineers will focus on better connecting upstream and downstream environments so that fixes are immediately usable by businesses. They should also develop patches, analyze and prioritize large amounts of vulnerabilities and secure dependencies.
According to Badami, the 20,000 engineers come from existing teams at IBM and Red Hat. If necessary, additional specialists should be brought in. The companies want to use both modern foundation models from leading AI laboratories as well as their own AI tools and frameworks. The five billion dollars will be invested in AI tools and building the necessary infrastructure.
Project Lightwell’s early backers include Bank of America, BNY, Citi, Goldman Sachs, JPMorganChase, Mastercard, Morgan Stanley, Royal Bank of Canada, State Street, Visa and Wells Fargo. After the design phase, the offer will gradually be made available to other customers via a subscription model.
A call to action?
David Shipley of Beauceron Security describes the initiative as “urgently necessary” if companies want to preserve open source in the long term. The time when trillions of dollars were based on the work of voluntary developers came to an abrupt end with Claude Mythos. Companies now have to do their part to support open source.
“If we can’t find a way to invest in open source, the alternative is for everyone to develop their own custom code using AI,” Shipley explains. That would be “enormously wasteful” from a computational and environmental perspective.
People remain indispensable
Red Hat manager Badani emphasizes that while AI is great at uncovering security issues in open source code, the process of troubleshooting can still be tedious. Corrections would first have to be forwarded to the developers, distributed to the open source community and then passed back to customers and users.
“Finding the error is one thing,” says Badani. “The real challenge is the many steps required to actually fix it. It’s exactly this additional time that we want to shorten.”
While the public discussion is often dominated by replacing human developers with AI, Project Lightwell takes the opposite approach, the Red Hat CPO added: “We can address the problem with a combination of AI tools and human knowledge and expertise. Combining both aspects leads to a better result than using only one or the other.” (mb)
