IBM, Red Hat Launch $5B Lightwell for Open-Source Security

IBM and Red Hat announced this week a $5 billion investment in Project Lightwell, an AI-driven clearinghouse to validate, patch and manage open-source software supply-chain security for enterprise customers.

The platform will use advanced AI, offered through commercial subscriptions, to scan large volumes of open-source code, validate fixes and test patches. Enterprises will be able to integrate those patches directly into existing software supply chains with enterprise-grade validation and lifecycle management. More than 20,000 engineers will work across upstream community projects and enterprise environments to support the effort.

Lightwell will let organizations report and resolve vulnerabilities, receive production-optimized patches for the exact open-source versions they run, and push fixes back to community maintainers for inclusion in long-term releases. Core workstreams include upstream maintenance with community leaders, high-volume AI-assisted vulnerability review, automated triage and prioritization, secure patch development, dependency hardening and release engineering.

IBM and Red Hat named a group of early adopters from the financial sector, including Bank of America, BNY, Citi, Goldman Sachs, JPMorgan Chase, Mastercard, Morgan Stanley, Royal Bank of Canada, State Street, Visa and Wells Fargo. The companies said deployments with these customers will inform how vulnerabilities are identified, validated and remediated across complex supply chains.

Security data cited by the companies shows rising threats. Sonatype reported 454,648 malicious open-source packages in 2025, a 67% increase from the prior year, and linked one state-affiliated group to more than 800 malicious packages. Data from Black Duck indicates 86% of codebases contain open-source vulnerabilities, with 81% of those rated high or critical, up from 74% the year before. IBM noted that AI-assisted vulnerability discovery has increased the number and speed of new CVEs.

IBM said Project Lightwell aims to move organizations from detection to remediation without disrupting stability, certification or compliance. The project will operate across Red Hat products and independent community code and includes mechanisms to push fixes upstream so maintainers can adopt them into future releases.

Arvind Krishna, chairman and CEO of IBM, described the initiative: “Open source is the backbone of today’s digital economy and the foundation of modern AI. With Project Lightwell, IBM and Red Hat are helping define a new industry model, one that brings together AI, engineering expertise, and trusted collaboration, to secure open source software at its source and across the entire supply chain.”