IBM and Red Hat pledge $5B to secure open source

IBM and Red Hat are pouring $5 billion over the coming years into Project Lightwell, an AI-powered effort meant to find and fix vulnerabilities in open-source software at “industrial scale.” The initiative will draw on 20,000 engineers, start with the Maven/Ja

When Daniel Steinberg logs onto his systems now, he isn’t just looking for bugs—he’s trying to keep up with a flood.

Steinberg, the founder and maintainer of the open-source data transfer program cURL, described how security reports have accelerated. He said the rate of incoming security reports is four to five times higher than it was in 2024 and double the speed of 2025. For the first time. he admitted he’s working more than he ever has—yet “the flood keeps coming. ” to the point that he’s “on the verge of burning out.”.

His appeal was simple: more companies should “fund us” so more developers can absorb the workload.

IBM and Red Hat have answered with a plan called Project Lightwell—an AI-powered initiative they described as a “first-of-its-kind force” to find and fix vulnerabilities in open-source software at an industrial scale. Lightwell is positioned as a clearinghouse for securing the open-source components that underpin modern enterprise IT. but it comes with a critical limitation: the initiative won’t pay upstream developers.

Instead, the companies say they’ll build a bridge between enterprise needs and upstream governance by putting IBM and Red Hat engineers—armed with AI tools—directly into the work on business-critical projects.

The teams behind Lightwell plan to invest $5 billion over the following years to roll out frontier-scale AI models. tooling. and a global engineering organization dedicated to open-source security. Their pitch isn’t only technical. They also plan to dedicate 20. 000 engineers to treating open-source risk as a first-order supply chain problem. not a background maintenance chore.

That framing lands hard in a moment when open-source maintainers are struggling to keep pace. IBM’s push also reflects the view that traditional security work isn’t sufficient. As IBM’s CEO and chairman Arvind Krishna put it. the company is helping define “a new industry model. ” bringing together AI. engineering expertise. and “trusted collaboration” to secure open source software “at its source and across the entire supply chain.”.

Lightwell’s operating model is meant to look familiar to enterprises—without trying to replace the communities that create the code. Businesses will feed the initiative information about the open-source software they run. Lightwell engineers will then use AI to hunt for flaws and propose fixes. From there, Lightwell engineers will work with upstream maintainers to get patches merged and shipped.

The clearinghouse is also designed to consolidate tasks that are often scattered across different places: vulnerability discovery at large scale, triage and prioritization, patch development, backporting, and long-term lifecycle support for the specific versions enterprises actually deploy.

The companies argue the pipeline can turn the current pattern—manual fixes moving at the speed of individual teams—into something closer to high-throughput remediation, while still respecting open development norms and project governance.

Speed is the point, and AI’s role is part of the urgency. The source materials cite that Anthropic’s Mythos Preview model has already identified nearly 3,900 serious security vulnerabilities in open-source software in just a few weeks, pushing the case for faster discovery and remediation.

Lightwell’s designers say their human-in-the-loop approach is essential if AI is to be trusted with security-critical code. IBM said models can surface patterns and issues that human reviewers would never have time to cover. Still, what counts as a safe and acceptable fix will remain with experienced engineers and project maintainers.

In practice, Lightwell is intended to show up to communities as a particularly large and well-organized contributor, not as an opaque automation layer dropping unsolicited pull requests.

It won’t start everywhere. Lightwell will begin with the Maven/Java ecosystem, which has seen enormous abuse even before AI entered the picture. From there, the project will expand across PyPI, npm, Go, and other important open-source codebases.

IBM says its latest AI models will power the initiative. Those systems will scan massive codebases, dependency graphs, and configuration archives for potential vulnerabilities, then generate candidate patches that human engineers validate before anything goes upstream or into customer environments.

Red Hat’s involvement draws on a playbook the company has used for decades: take upstream open source. harden and support it for enterprises. and push improvements back to the community. For Red Hat, the difference here is scope. Lightwell targets the long tail of libraries. frameworks. and tools that quietly underpin everything from banking systems to AI pipelines—not just Red Hat’s own products such as Red Hat Enterprise Linux (RHEL). OpenShift. and Ansible.

Lightwell engineers are expected to file issues. propose patches. and co-maintain critical components alongside existing project leaders rather than forking or replacing them. And when upstream maintainers disagree with a fix or decline to support an older branch. Lightwell will still be able to carry hardened backports for its customers. The companies say the default path remains upstream-first. with the clearinghouse acting as a bridge between enterprise production demands and community release cadences.

Where enterprises come in most clearly is through commercial subscriptions. IBM and Red Hat explicitly said these capabilities will be offered through commercial subscriptions. letting enterprises integrate secure patches directly into their existing software supply chains with enterprise-grade validation and lifecycle management.

The subscription is described as an overlay on existing supply chains—not a new distribution. Lightwell plugs into Continuous Integration and Continuous Deployment (CI/CD). registries. and Software Bill of Materials (SBOM) processes companies already use. The companies say it will deliver vetted fixes and policy decisions via APIs, catalogs, and integrations.

IBM senior vice president of software. Rob Thomas. told Reuters that the service will launch as a commercial offering in the next 30 days. The pricing is described as likely being based on the number of packages used. The subscription. Thomas said. will provide clients with a “stamp of approval from the clearinghouse that their open source is safe to use in production.”.

But the questions that keep maintainers awake at night don’t automatically disappear when the funding arrives. The plan’s promise hinges on speed, but it also hinges on trust—especially for the upstream developers who won’t be paid by Lightwell.

What exactly is the work upstream developers and their communities get, in return?. If patches land in upstream repositories, what are enterprises actually paying for?. If the clearinghouse is meant to be trusted and trusted intermediaries can become gatekeepers, where does that leave upstream autonomy?.

Right now, those answers are missing. Lightwell is meant to turn a trickle of security fixes into a high-throughput pipeline—yet the hardest part of this shift may be figuring out how the incentives and responsibilities balance out for everyone involved.

For now, the only thing that’s unquestionable is the pressure Steinberg described. In 2024, then in 2025, and now again, incoming security reports keep surging. Project Lightwell is IBM and Red Hat’s attempt to meet that surge—before another maintainer reaches the point where work becomes impossible.

IBM Red Hat Project Lightwell open-source security AI security cURL Maven Java vulnerabilities PyPI npm Go software supply chain SBOM CI/CD cybersecurity