IBM and Red Hat have announced Project Lightwell, a $5 billion program designed to strengthen open-source software security as AI tools make it easier to discover and take advantage of vulnerabilities. The program will combine a global engineering force of more than 20,000 engineers with AI-assisted security workflows to help enterprises secure open-source code from development through production.
IBM said more than 90% of Fortune 500 companies rely on open-source software, while Reuters reported that AI is increasing the speed and scale at which attackers can find weaknesses in that code.
Project Lightwell is being positioned as a trusted enterprise clearinghouse for open-source security; IBM says the service will let companies report vulnerabilities confidentially, receive tested fixes, and share those fixes back into the open-source community. The service will launch within 30 days as a commercial subscription offering, with pricing likely tied to the number of packages used.
[Also Read: IBM Expands AI Security Portfolio as Project Glasswing Cyber Threat Concerns Grow ]
The first group of early adopters includes Bank of America, BNY, Citi, Goldman Sachs, JPMorganChase, Mastercard, Morgan Stanley, Royal Bank of Canada, State Street, Visa, and Wells Fargo.
Enterprise software depends on so many external libraries, frameworks, and dependencies that one weak component can spread risk across a large system. Open source is a prime target for hackers because its wide use creates many possible entry points, and AI is making the search for flaws faster.
IBM and Red Hat are responding by extending their existing enterprise open source model beyond their own platforms. The companies said they have historically managed lifecycle work such as validation and patching inside their ecosystems, and Project Lightwell now applies that discipline to independent open-source libraries, language toolchains, AI frameworks, and data-streaming platforms as well.
[Also Read: Red Hat Unveils AI-Powered Developer Lightspeed to Accelerate Application Development ]
What Project Lightwell Does
Project Lightwell is designed to serve as a security coordination layer; IBM says it will use advanced AI capabilities to validate and test fixes across a very large volume of open-source code, while the engineering team will focus on upstream maintenance, AI-assisted vulnerability review, triage, prioritization, secure patch development, dependency hardening, and release engineering.
The model is meant to cover the wider open-source application landscape, including components enterprises often assemble on their own.
Traditional vendor support generally covers the software a company ships or maintains itself. IBM and Red Hat are trying to build a wider clearinghouse model that covers the upstream source, the enterprise deployment, and the patch path in between. That makes the service closer to a supply-chain security layer than a conventional support contract.
The project uses new frontier AI capabilities to validate and test fixes at scale. In that sense, Lightwell is both a defensive response and an acknowledgment that the threat environment has changed.
Impact on Enterprise Security
For enterprise buyers, the practical value is likely to be less about branding and more about process. Open-source security problems often become production problems because patches are hard to evaluate, integrate, and verify quickly. Project Lightwell is designed to reduce that friction by providing enterprise-grade validation and lifecycle management for secure patches.
The early adopter list includes major banks and payment companies, which is a signal that the service is being shaped within environments where software provenance, auditability, and patch discipline matter as much as raw code quality. IBM states the initiative backs government priorities around critical infrastructure resilience.
A few years ago, the main conversation around open source was adoption and licensing. Now the question is supply-chain trust: who validates the code, who patches it, and who can prove the system is safe enough for production. IBM and Red Hat are trying to turn that trust layer into a commercial service.
[Also Read: Gartner Warns 25% of Enterprise GenAI Apps to Face Frequent Security Incidents by 2028 ]
What It Means
The larger meaning of Project Lightwell is that open-source security is moving from a background IT task to a managed enterprise function, IBM and Red Hat are betting that companies will pay for a trusted intermediary that can validate fixes, coordinate disclosures, and reduce the risk of shipping vulnerable code into production.
