Office Address
Seville, Spain
Seville, Spain
Phone Number
+(34) 624 816 969
Email Address
Available on Google Play
Seville, Spain
Seville, Spain
+(34) 624 816 969
by ForgeNEX Open source software is the invisible engine of the digital economy: 90% of Fortune 500 companies integrate it into their supply chains. However, its main strength—transparency and massive collaboration—also makes it a constant target for vulnerabilities. Tens of thousands of flaws (CVEs) are published each year, and the rate at which they are discovered far exceeds organizations' ability to patch them. IBM and Red Hat want to change that equation with Project Lightwell, an initiative that mobilizes $5 billion and 20,000 engineers to build an AI-powered "security clearinghouse."
Table of contents [Show]
Announced this week, Project Lightwell is not just another product but a comprehensive platform that acts as a security coordination layer between open source maintainers and the enterprises that consume it. Its goal is to close the gap between vulnerability discovery and effective remediation, a process that today can take weeks or months.
According to Ashesh Badani, senior vice president and head of Product at Red Hat, "advances in AI tools have broken the patching map." In other words, we can now find flaws at unprecedented speed, but the ability to fix them without breaking operational stability remains the bottleneck. Project Lightwell aims to automate and coordinate the entire cycle: detection, analysis, patch development, backporting, and secure deployment.
The numbers are overwhelming. In 2025 alone, nearly 50,000 CVEs were published. Initiatives like Anthropic's Project Glasswing, based on its Mythos Preview model, discovered nearly 3,900 previously unknown critical vulnerabilities in open source software. The problem is not just quantity but speed: while attackers exploit flaws in hours, companies take days to apply patches.
IBM, which already manages over 62,000 packages in its ecosystem (Linux, Kubernetes, Kafka, Terraform, Java, etc.), will apply its lifecycle management and validation expertise to a broader set of technologies: AI frameworks, standalone libraries, language toolchains, and data streaming platforms. The promise is to deliver validated fixes that do not disrupt stability, certification, or regulatory compliance.
Project Lightwell does not require companies to update their dependencies or access the original source code. Instead, it applies backporting of fixes to the exact versions already tested and deployed in enterprise environments. It operates on configuration manifests like pom.xml (Java/Maven initially) and will expand to PyPI, npm, Go, and other ecosystems.
Fixes are integrated directly into the existing software supply chain without modifying developer workflows. The code remains within controlled environments, reducing regression risks. Additionally, companies can share sensitive vulnerabilities under embargo through a "secure intermediary model," receiving validated patches that cover both Red Hat platforms and community-independent code.
Badani insists that fixes do not stay within the enterprise: "We want to ensure that any fix we provide to companies also finds its way back to the open source community." For example, if a piece of Python is patched, the fix is quickly returned to the Python community via a "secure map."
Although tech discourse often focuses on replacing engineers with AI, Project Lightwell bets on collaboration. Foundational models from leading labs, combined with IBM and Red Hat's own tools, help classify vulnerabilities, generate patches, and perform high-volume reviews. But the final decision and validation rest with the 20,000 engineers in the network, which can be scaled up as needed.
"Finding the bug is one thing; the other is all the steps needed to actually remediate it. That additional time is the gap we are trying to close," explains Badani. The $5 billion investment will be used to equip teams with AI tools and build the internal operational infrastructure needed to scale the service.
Project Lightwell already has eleven financial sector partners as early adopters: Bank of America, BNY, Citi, Goldman Sachs, JPMorgan Chase, Mastercard, Morgan Stanley, Royal Bank of Canada, State Street, Visa, and Wells Fargo. During the design phase, these entities will collaborate on defining requirements and use cases. Subsequently, the service will be offered under a commercial subscription model, gradually opening the door to more customers.
For David Shipley of Beauceron Security, initiatives like this are "desperately needed." In his view, the era when trillions of dollars in value depended on volunteers ended abruptly with the arrival of tools like Mythos. "Companies will have to pay or lose it," he states. Shipley warns that if open source is not invested in, the alternative would be for each organization to build its own custom code using AI, which would be "enormously inefficient" from a computational and environmental standpoint.
Project Lightwell is part of a broader trend toward business process automation and the use of AI agents for critical tasks. However, unlike approaches like Skipper, which deploys without asking for opinions, Lightwell keeps humans in the loop. Security cannot be fully delegated to machines, as demonstrated by cases like Gavriel Cohen and OpenClaw, where an AI agent found its own code and retired, highlighting the need for oversight.
The initiative also resonates with Snowflake's efforts to control AI agents and the search for standard protocols like MCP. In a world where business productivity increasingly depends on tools like Microsoft 365, the security of underlying code is a foundation that cannot be compromised.
Badani acknowledges that demand is immense: "We have already received an avalanche of requests since the announcement." And he warns that the problem will not be solved once: "Even if we successfully solve the initial set of challenges, this is something companies will need on a continuous or recurring basis."
Project Lightwell is not a silver bullet, but it represents a paradigm shift: moving from reactive, fragmented security to centralized coordination, powered by AI and backed by human engineers. If it achieves its goal, it could become the de facto standard for managing vulnerabilities in enterprise open source.
Original source: ComputerWorld. Analysis and adaptation by ForgeNEX.