{"id":8304,"date":"2026-05-29T01:05:55","date_gmt":"2026-05-29T01:05:55","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8304"},"modified":"2026-05-29T01:05:55","modified_gmt":"2026-05-29T01:05:55","slug":"ibm-and-red-hat-want-to-become-the-security-clearinghouse-for-open-source-applications-in-the-enterprise","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8304","title":{"rendered":"IBM and Red Hat want to become the \u2018security clearinghouse\u2019 for open source applications in the enterprise"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Open source code is everywhere in the enterprise; it\u2019s estimated that upwards of 90%<\/a> of Fortune 500 companies have it in their software supply chains. But open source code is notoriously rife with vulnerabilities, and identifying and patching those bugs can be an endless battle for security teams.<\/p>\n

IBM and Red Hat are betting that a new initiative, Project Lightwell<\/a>, can help accelerate this process.<\/p>\n

Announced today, the project will commit $5 billion and 20,000 IBM and Red Hat engineers to build a new \u2018enterprise clearinghouse\u2019 to accelerate discovery and remediation of vulnerabilities in open source software. The companies say the clearinghouse will serve as an AI-powered\u00a0 \u201csecurity coordination layer,\u201d giving enterprises the ability to integrate patches directly into their existing software supply chains.<\/p>\n

Now in the design phase with a group of 11 financial partners, Project Lightwell will eventually be offered as a commercial subscription.<\/p>\n

\u201cThe advancement in AI tools has broken the patching map, which is the ability to discover vulnerabilities in software without losing the speed of remediation,\u201d Ashesh Badani<\/a>, Red Hat SVP and CPO, told CSOonline. \u201cEveryone\u2019s running open source software, and the challenge is not being able to fix vulnerabilities quickly enough.\u201d<\/p>\n

Closing the remediation gap<\/h2>\n

Open source security issues have been well documented: Almost 50,000 common vulnerabilities and exposures (CVEs) were published in 2025<\/a>, and Anthropic\u2019s Project Glasswing, powered by its Mythos Preview<\/a> model, found roughly 3,900<\/a> previously undiscovered high or critical severity vulnerabilities in open source software shortly after launch.<\/p>\n

IBM is considered one of the broadest commercial open source ecosystems, using more than 62,000 packages and operating across Linux, Kubernetes, Kafka, Terraform, Java and other platforms, and providing lifecycle management, validation, and patching for elements within those environments.<\/p>\n

The company says Project Lightwell will now apply those same engineering principles to broader AI frameworks, independent libraries, language toolchains, and data streaming platforms, to deliver validated fixes to open-source code already in use in enterprise environments. This can support remediation without disruption of stability, certification, or compliance.<\/p>\n

No upgrades or access to source code are required; Project Lightwell will backport fixes to exact dependency versions that have already been tested and deployed. It operates on fundamental configuration manifests like pom.xml so code remains in controlled enterprise environments when patched artifacts are rolled out. Initial focus will be on Java\/Maven, but the project will eventually expand to PyPI, npm, Go, and others.<\/p>\n

Enterprises will have the ability to share sensitive vulnerabilities<\/a> under embargo through a \u201csecure intermediary model\u201d and receive validated patches spanning Red Hat platforms and independent community code. They will also be able to deliver fixes across dependency chains; report and address issues across active production environments; and share fixes upstream so the wider open-source community can incorporate them.<\/p>\n

\u201cWe want to make sure that whatever fixes we provide to the enterprises through the clearinghouse also find their way back into the open source community that developed [the code],\u201d Badani explained. For instance, if a piece of Python code was patched, the fix should be quickly delivered back to the Python community. With Project Lightwell, that process can be achieved through a \u201csecure map.\u201d<\/p>\n

Using advanced AI, and working with leading open source contributors, IBM and Red Hat engineers will focus on connecting upstream and downstream environments so fixes are enterprise-ready. They will also develop patches and perform \u201chigh volume\u201d vulnerability review and triage, and dependency hardening.<\/p>\n

The network of 20,000 engineers will come from IBM\u2019s and Red Hat\u2019s existing pools of talent, and the companies will augment those teams as needed, Badani explained. The companies will take advantage of foundation models coming out of frontier labs, as well as their own internally-built AI tools and frameworks. The $5 billion will be used to equip teams with AI tools and build out internal operational infrastructure.<\/p>\n

Early Project Lightwell adopters include Bank of America, BNY, Citi, Goldman Sachs, JPMorganChase, Mastercard, Morgan Stanley, Royal Bank of Canada, State Street, Visa, and Wells Fargo. Following the initial design period, IBM and Red Hat will phase more customers onto Project Lightwell via a subscription model.<\/p>\n

A call to action?<\/h2>\n

This type of initiative is \u201cdesperately needed\u201d if enterprise is to save open source, noted David Shipley<\/a> of Beauceron Security.<\/p>\n

The days of trillions in wealth depending on volunteers \u201cended violently\u201d with Mythos, he noted, and the bill has ultimately come due for open source. Enterprises will need to pay up, or lose it.<\/p>\n

\u201cIf we don\u2019t find a way to invest in open source, which will close a long-standing equity issue, the alternative is everyone building their own bespoke code using AI,\u201d Shipley said. That would be \u201cmassively wasteful\u201d from a compute and environmental perspective.<\/p>\n

\u201cI hope this drives others to act,\u201d he said.<\/p>\n

Keeping humans in the loop for an ongoing battle<\/h2>\n

Badani emphasized that, while AI is great at discovering security issues<\/a> in open-source code, the patching process can still be cumbersome. Fixes have to be sent upstream, distributed to the open source community, then flow back to customers and users.<\/p>\n

\u201cFinding the bug is one thing,\u201d said Badani. \u201cThe other is all the steps that it takes to actually go and remediate it. That extra amount of time is the gap that we\u2019re trying to help close.\u201d<\/p>\n

Underscoring the severity of the problem, IBM and Red Hat have already had an \u201conslaught of incoming requests\u201d since Project Lightwell was announced.<\/p>\n

\u201cThis isn\u2019t going to stop any time soon,\u201d Badani said. \u201cEven if we were to very successfully solve the initial set of challenges that come to us, this will be something that companies are going to need on an ongoing or recurring basis.\u201d<\/p>\n

And, while the narrative has focused on cutting human engineers in favor of AI, Project Lightwell is focused on the opposite: \u201cWe can address [the problem] with a mixture of AI tools and human knowledge and expertise,\u201d Badani said. \u201cCoupling the two gives you a better outcome than just using one or the other.\u201d<\/p>\n

This article originally appeared on InfoWorld<\/a>.<\/em><\/p>\n\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Open source code is everywhere in the enterprise; it\u2019s estimated that upwards of 90% of Fortune 500 companies have it in their software supply chains. But open source code is notoriously rife with vulnerabilities, and identifying and patching those bugs can be an endless battle for security teams. IBM and Red Hat are betting that […]<\/p>\n","protected":false},"author":0,"featured_media":8305,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8304","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8304"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8304"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8304\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8305"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8304"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8304"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8304"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}