Open source code is everywhere in the enterprise; it’s estimated that upwards of 90% of Fortune 500 companies have it in their software supply chains. But open source code is notoriously rife with vulnerabilities, and identifying and patching those bugs can be an endless battle for security teams.
IBM and Red Hat are betting that a new initiative, Project Lightwell, can help accelerate this process.
Announced today, the project will commit $5 billion and 20,000 IBM and Red Hat engineers to build a new ‘enterprise clearinghouse’ to accelerate discovery and remediation of vulnerabilities in open source software. The companies say the clearinghouse will serve as an AI-powered “security coordination layer,” giving enterprises the ability to integrate patches directly into their existing software supply chains.
Now in the design phase with a group of 11 financial partners, Project Lightwell will eventually be offered as a commercial subscription.
“The advancement in AI tools has broken the patching map, which is the ability to discover vulnerabilities in software without losing the speed of remediation,” Ashesh Badani, Red Hat SVP and CPO, told CSOonline. “Everyone’s running open source software, and the challenge is not being able to fix vulnerabilities quickly enough.”
Closing the remediation gap
Open source security issues have been well documented: Almost 50,000 common vulnerabilities and exposures (CVEs) were published in 2025, and Anthropic’s Project Glasswing, powered by its Mythos Preview model, found roughly 3,900 previously undiscovered high or critical severity vulnerabilities in open source software shortly after launch.
IBM is considered one of the broadest commercial open source ecosystems, using more than 62,000 packages and operating across Linux, Kubernetes, Kafka, Terraform, Java and other platforms, and providing lifecycle management, validation, and patching for elements within those environments.
The company says Project Lightwell will now apply those same engineering principles to broader AI frameworks, independent libraries, language toolchains, and data streaming platforms, to deliver validated fixes to open-source code already in use in enterprise environments. This can support remediation without disruption of stability, certification, or compliance.
No upgrades or access to source code are required; Project Lightwell will backport fixes to exact dependency versions that have already been tested and deployed. It operates on fundamental configuration manifests like pom.xml so code remains in controlled enterprise environments when patched artifacts are rolled out. Initial focus will be on Java/Maven, but the project will eventually expand to PyPI, npm, Go, and others.
Enterprises will have the ability to share sensitive vulnerabilities under embargo through a “secure intermediary model” and receive validated patches spanning Red Hat platforms and independent community code. They will also be able to deliver fixes across dependency chains; report and address issues across active production environments; and share fixes upstream so the wider open-source community can incorporate them.
“We want to make sure that whatever fixes we provide to the enterprises through the clearinghouse also find their way back into the open source community that developed [the code],” Badani explained. For instance, if a piece of Python code was patched, the fix should be quickly delivered back to the Python community. With Project Lightwell, that process can be achieved through a “secure map.”
Using advanced AI, and working with leading open source contributors, IBM and Red Hat engineers will focus on connecting upstream and downstream environments so fixes are enterprise-ready. They will also develop patches and perform “high volume” vulnerability review and triage, and dependency hardening.
The network of 20,000 engineers will come from IBM’s and Red Hat’s existing pools of talent, and the companies will augment those teams as needed, Badani explained. The companies will take advantage of foundation models coming out of frontier labs, as well as their own internally-built AI tools and frameworks. The $5 billion will be used to equip teams with AI tools and build out internal operational infrastructure.
Early Project Lightwell adopters include Bank of America, BNY, Citi, Goldman Sachs, JPMorganChase, Mastercard, Morgan Stanley, Royal Bank of Canada, State Street, Visa, and Wells Fargo. Following the initial design period, IBM and Red Hat will phase more customers onto Project Lightwell via a subscription model.
A call to action?
This type of initiative is “desperately needed” if enterprise is to save open source, noted David Shipley of Beauceron Security.
The days of trillions in wealth depending on volunteers “ended violently” with Mythos, he noted, and the bill has ultimately come due for open source. Enterprises will need to pay up, or lose it.
“If we don’t find a way to invest in open source, which will close a long-standing equity issue, the alternative is everyone building their own bespoke code using AI,” Shipley said. That would be “massively wasteful” from a compute and environmental perspective.
“I hope this drives others to act,” he said.
Keeping humans in the loop for an ongoing battle
Badani emphasized that, while AI is great at discovering security issues in open-source code, the patching process can still be cumbersome. Fixes have to be sent upstream, distributed to the open source community, then flow back to customers and users.
“Finding the bug is one thing,” said Badani. “The other is all the steps that it takes to actually go and remediate it. That extra amount of time is the gap that we’re trying to help close.”
Underscoring the severity of the problem, IBM and Red Hat have already had an “onslaught of incoming requests” since Project Lightwell was announced.
“This isn’t going to stop any time soon,” Badani said. “Even if we were to very successfully solve the initial set of challenges that come to us, this will be something that companies are going to need on an ongoing or recurring basis.”
And, while the narrative has focused on cutting human engineers in favor of AI, Project Lightwell is focused on the opposite: “We can address [the problem] with a mixture of AI tools and human knowledge and expertise,” Badani said. “Coupling the two gives you a better outcome than just using one or the other.”
This article originally appeared on InfoWorld.
No Responses