Office Address
Seville, Spain
Seville, Spain
Phone Number
+(34) 624 816 969
Email Address
Available on Google Play
Seville, Spain
Seville, Spain
+(34) 624 816 969
by ForgeNEX Open source software has become the backbone of the modern enterprise. According to recent data, 90% of Fortune 500 companies integrate it into their software supply chains. However, this massive dependency comes with a dark side: security vulnerabilities. Identifying and patching these flaws is an endless battle for security teams, who are often overwhelmed by the speed at which new threats emerge.
Table of contents [Show]
IBM and Red Hat have announced Project Lightwell, an initiative that will mobilize $5 billion and 20,000 engineers to build an 'enterprise clearinghouse' dedicated to accelerating the discovery and remediation of vulnerabilities in open source software. This center will act as an AI-driven security coordination layer, providing companies with the ability to integrate patches directly into their existing software supply chains.
Ashesh Badani, senior vice president and head of Product at Red Hat, explained to CSOonline that 'advances in AI tools have broken the patching map, which is the ability to discover vulnerabilities in software without losing remediation speed.' In his view, 'everyone is running open source software, and the challenge is not being able to fix vulnerabilities quickly enough.'
The data is alarming: nearly 50,000 common vulnerabilities and exposures (CVEs) were published in 2025. Anthropic's Project Glasswing, powered by its Mythos Preview model, found nearly 3,900 previously undiscovered high- or critical-severity vulnerabilities in open source software shortly after its launch. This shows that the problem is not only large but growing exponentially.
IBM is one of the broadest commercial open source ecosystems, using over 62,000 packages and operating on Linux, Kubernetes, Kafka, Terraform, Java, and other platforms. The company already provides lifecycle management, validation, and patching for elements within those environments. With Project Lightwell, these principles will be applied to broader AI frameworks, standalone libraries, language toolchains, and data streaming platforms.
The project will offer validated fixes to open source code already in use in enterprise environments, facilitating remediation without disrupting stability, certification, or regulatory compliance. No updates or source code access are required; Project Lightwell will backport fixes to exact versions of dependencies that have already been tested and deployed. It operates on foundational configuration manifests like pom.xml. This way, the code remains within controlled enterprise environments when patched artifacts are deployed. The initial focus will be Java/Maven, but the project will later expand to PyPI, npm, Go, and others.
Companies will have the ability to share sensitive vulnerabilities under embargo through a 'secure intermediary model' and receive validated patches covering both Red Hat platforms and independent community code. They will also be able to deploy fixes across dependency chains, report and address issues in active production environments, and share fixes upstream so the broader open source community can incorporate them.
Badani acknowledged that 'we want to ensure that any fix we provide to companies through the clearinghouse also finds its way back to the open source community that developed [the code].' For example, if a piece of Python code is patched, the fix should quickly return to the Python community. With Project Lightwell, that process can be achieved through a 'secure map.'
Thanks to the use of advanced AI and collaboration with leading open source contributors, IBM and Red Hat engineers will focus on connecting upstream and downstream environments so that fixes are enterprise-ready. They will also develop patches and perform 'high-volume' vulnerability triage and classification, as well as dependency hardening.
IBM and Red Hat's current headcount will provide a network of 20,000 engineers, and the companies will expand these teams as needed. The companies will leverage foundational models from leading labs, as well as their own internally developed AI tools and frameworks. The $5 billion will be used to equip teams with AI tools and build internal operational infrastructure.
This combination of AI and human expertise is key. As Badani notes, 'we can address [the problem] with a combination of AI tools and human knowledge and experience. The combination of both offers a better outcome than using only one or the other.' This contrasts with other trends that seek to replace human engineers with AI, as seen in Skipper: The AI Agent That Deploys Without Asking for Opinions.
Among the early adopters of Project Lightwell are Bank of America, BNY, Citi, Goldman Sachs, JPMorgan Chase, Mastercard, Morgan Stanley, Royal Bank of Canada, State Street, Visa, and Wells Fargo. After the initial design period, IBM and Red Hat will progressively onboard more clients to the project via a subscription model.
David Shipley of Beauceron Security has called such initiatives 'desperately needed' if companies want to save open source. According to Shipley, 'the era when trillions of dollars in value depended on volunteers ended abruptly with Mythos, and the bill for open source has finally arrived. Companies will have to pay or lose it.'
In his view, 'if we don't find a way to invest in open source, which would close a long-standing equity problem, the alternative is for everyone to build their own custom code using AI.' This would be 'enormously inefficient' from a computational and environmental standpoint.
Shipley hopes that 'this will spur others to act.' The IBM and Red Hat initiative could mark a before and after in how companies approach open source security. It is not just a technical issue but also an economic and strategic one. As seen in AI Agent Governance: Snowflake Bets on Natoma and the MCP Protocol to Avoid Enterprise Chaos, coordination and standardization are essential to avoid chaos.
Badani emphasized that while AI is excellent at discovering security issues in open source, the patching process can still be complex. Fixes must be sent upstream, distributed to the open source community, and then flow back to customers and users. 'Finding the bug is one thing, and the other is all the steps needed to actually remediate it. That extra time is the gap we are trying to help close.'
Highlighting the severity of the problem, IBM and Red Hat have already received an 'avalanche of incoming requests' since the announcement of Project Lightwell. Badani warns that 'this is not going to stop soon,' and adds, 'Even if we successfully solve the initial set of challenges that come our way, this will be something companies will need on an ongoing or recurring basis.'
Project Lightwell represents a paradigm shift in open source software security. It not only addresses the immediate problem of vulnerabilities but also establishes a sustainable model for the future. Collaboration between tech giants, financial institutions, and the open source community could be the key to maintaining innovation without sacrificing security. As seen in Project Lightwell: IBM and Red Hat's $5 Billion Bet to Save Enterprise Open Source, this initiative could have a lasting impact on the industry.
Original source: ComputerWorld. Analysis and adaptation by ForgeNEX.