IBM, Red Hat unveil $5B Project Lightwell to secure open source

IBM and Red Hat announced a $5 billion initiative called Project Lightwell to secure open-source software supply chains. The program will use AI to review vulnerabilities, produce validated patches and support integration across enterprise software stacks.

Project Lightwell will be offered via commercial subscriptions. The platform is designed to scan large volumes of open-source code, validate fixes and test patches against the exact versions companies run. Firms can receive production-optimized patches with enterprise-grade validation and lifecycle management and share fixes upstream so community projects can adopt them.

The effort will combine AI-assisted review with manual engineering validation to triage and prioritize vulnerabilities, harden dependencies, develop secure patches and manage releases. Teams will work across Red Hat products and independent community code, collaborating with open-source project leaders on upstream maintenance and downstream enterprise needs.

More than 20,000 engineers across IBM and Red Hat will support the program in both upstream communities and enterprise environments. Early adopters involved in initial deployments include Bank of America, BNY, Citi, Goldman Sachs, JPMorgan Chase, Mastercard, Morgan Stanley, Royal Bank of Canada, State Street, Visa and Wells Fargo. Company executives noted that feedback from these deployments will shape how vulnerabilities are identified, validated and remediated at scale.

Open-source use is widespread: the companies said more than nine in 10 Fortune 500 firms rely on open-source software. Industry data shows increases in malicious and vulnerable packages: one vendor tracked 454,648 malicious open-source packages in 2025, a 67% year-over-year rise, while another found that 86% of codebases contain open-source vulnerabilities and that 81% of those are high or critical risk. IBM added that AI-driven discovery of vulnerabilities is accelerating the volume and speed of disclosed CVEs, widening a remediation gap for many organizations.

Arvind Krishna, IBM’s chairman and CEO, described Project Lightwell as “helping define a new industry model” that pairs AI, engineering expertise and collaboration to secure open-source software across the supply chain.

IBM and Red Hat plan to refine Project Lightwell through the early adopter program and broader rollouts, with the goal of reducing the time between vulnerability discovery and deployment of fixes across complex software supply chains.