Skip to main content
TechnologyMay 29, 2026· 3 min read

Project Lightwell: IBM and Red Hat Invest $5 Billion in Open Source Security

In recent hours, IBM and Red Hat announced Project Lightwell, a commitment of $5 billion and over 20,000 engineers to secure the open-source software on which large enterprises' infrastructure relies.

The announcement is presented as a redefinition of the sector, but essentially it extends a model that Red Hat has always applied: selling support, validation, and enterprise-level patches for code that remains free. Until now, that service covered the components within the two groups' products, from RHEL to Kubernetes, Ansible, and Terraform; now it expands to independent libraries, toolchains, AI frameworks, and data streaming platforms that companies manage on their own.

The Bottleneck of Patching

Frontier AI models have made the discovery of vulnerabilities enormously faster: Anthropic estimates that its Mythos Preview model has identified around 3,900 high or critical severity flaws in open-source software alone, as part of Project Glasswing. However, finding the flaws is now the easy part, while the difficult part is fixing them: as we have previously reported, open-source project maintainers receive them faster than they can correct them, to the point that several have requested to slow down the pace of reporting because they are overwhelmed by the volume.

It is in this context that IBM places the project, stating that it has incorporated the lessons learned from initiatives like Anthropic's Project Glasswing and OpenAI's Trusted Access for Cyber, applying its security methods.

A Subscription-Based Clearinghouse

The heart of the initiative is what IBM calls a clearinghouse: a mediation structure that serves as a coordinating layer on security, where AI is used to validate and test fixes on a vast volume of code. Companies access it through commercial subscriptions and integrate the already validated patches directly into their software supply chains.

Three functions are anticipated: to report and resolve vulnerabilities found in the versions actually in use within a protected framework; to receive optimized patches for production environments, both for Red Hat products and for independent community code; and to coordinate the disclosure of fixes to upstream projects so that they can enter into long-term maintenance. To support its credentials, IBM states that it uses over 62,000 open-source packages, with in-depth expertise on more than 10,000.

On the personnel front, the two groups are taking a direction opposite to much of the sector: while many reduce their technical workforce leaning on AI, here the 20,000 engineers are presented as strategic assets, complemented by automated tools rather than replaced. The first customers are eleven, and they are all financial institutions: Bank of America, BNY, Citi, Goldman Sachs, JPMorgan Chase, Mastercard, Morgan Stanley, Royal Bank of Canada, State Street, Visa, and Wells Fargo.

Automatic vulnerability discovery has already saturated the capacity of those who must fix them, and a dedicated industrial structure for patching responds to a concrete need. However, in the press release, the disclosure towards upstream projects is the last of the three functions of the clearinghouse, listed after the subscription model, and IBM describes it as coordination with maintainers. They are the ones who keep libraries installed on billions of devices alive, living off upstream corrections.

MOVA focuses on Italy: retail strategy and new products. Insights from the sales managerQualcomm Anticipates the Arrival of New Snapdragon C: They Will Be the Chips for Low-End Windows Laptops