IBM and Red Hat invest $5B in Project Lightwell to secure open-source software
20,000 engineers and AI aim to fix the open-source security crisis.
IBM and its subsidiary Red Hat have announced Project Lightwell, a massive $5 billion AI-powered initiative to secure open-source software. The program will deploy 20,000 engineers and frontier-scale AI models to proactively hunt for vulnerabilities, triage them, and propose patches to upstream maintainers. The goal is to transform the current reactive, fragmented approach into a high-throughput remediation pipeline. Anthropic's Mythos Preview model recently identified nearly 3,900 serious vulnerabilities in open-source code within weeks, underscoring the scale of the problem.
Project Lightwell will operate as a subscription-based clearinghouse where enterprises feed information about the open-source software they use. Engineers will then use AI to analyze code, prioritize flaws, and develop patches that integrate with community governance. Unlike traditional bug bounties, Lightwell focuses on upstream fixes and long-term lifecycle support for enterprise deployments. This addresses maintainer burnout, as exemplified by cURL's Daniel Steinberg, who reported a four- to five-fold increase in security reports since 2024.
- IBM and Red Hat commit $5 billion and 20,000 engineers to Project Lightwell for open-source security.
- Anthropic's Mythos Preview model found nearly 3,900 serious vulnerabilities in open-source code in weeks.
- cURL maintainer Daniel Steinberg reports 4-5x more security reports since 2024, leading to burnout.
Why It Matters
A coordinated industry effort could finally stem the tide of open-source vulnerabilities threatening enterprise supply chains.