 |
Project Lightwell will build a trusted enterprise-grade open-source software security collaboration platform, safeguarding the software supply chain with a new AI-driven model.
BeijingJune 2, 2026 /PRNewswire/ — IBM (NYSE: IBM) and Red Hat recently announced the launch of Project Lightwell, committing $50 billion and leveraging cutting-edge AI capabilities along with a global team of over 20,000 engineers to help enterprises secure open-source software. These investments collectively establish a new enterprise-grade open-source software application model, covering the entire process from upstream development to the production environment.
IBM-RedHat Project Lightwell
Project Lightwell will establish a trusted enterprise-grade open-source softwareclearinghouse (note: a security collaboration platform for vulnerability sharing and remediation), equipped with a global team of engineers to achieve vulnerability identification and remediation at scale. This platform will serve as a security collaboration layer, leveraging cutting-edge AI capabilities to validate and test remediation solutions for vast amounts of open-source code. These capabilities will be offered through commercial subscriptions, enabling enterprises to directly integrate security patches into their existing software supply chains and gain enterprise-grade validation and lifecycle management support.
Open-source software underpins the IT infrastructure of modern enterprises, with over 90% of Fortune 500 companies relying on it [1]. At the same time, advances in cutting-edge AI technology are accelerating the discovery and exploitation of vulnerabilities. A recent report from Anthropic found that its Mythos Preview model identified nearly 3,900 high-risk or critical vulnerabilities in open-source software alone [2].
IBM and Red Hat have already begun early collaboration with select users on Project Lightwell, including Bank of America, BNY Mellon, Citigroup, Goldman Sachs, JPMorgan Chase, Mastercard, Morgan Stanley, Royal Bank of Canada, State Street, Visa, and Wells Fargo. These early deployments will provide valuable experience in identifying, validating, and remediating vulnerabilities within complex software supply chains, laying the groundwork for future large-scale adoption.
Behind Project Lightwell, in addition to IBM and Red Hat’s leadership in open source, enterprise-grade AI, and security, are lessons from cybersecurity initiatives such as Project Glasswing (led by Anthropic) and Trust Access for Cyber (led by OpenAI). The project aims to leverage IBM’s new AI agent security approach to protect the foundational open-source layers supporting modern enterprises and AI systems.
Arvind Krishna, IBM Chairman and CEO, stated: “Open-source technology is the backbone of today’s digital economy and the foundation of modern AI, and we are at a critical turning point in how it is built, protected, and scaled. Through Project Lightwell, IBM and Red Hat are defining a new industry model—integrating AI, software engineering expertise, and trusted collaboration to protect the entire supply chain of open-source software from the source. This is about greater trust, especially for the critical systems that underpin businesses, governments, and society.”
Building a Trusted Open-Source SoftwareClearinghouse for Comprehensive Collaborative Vulnerability Sharing and Remediation
Project Lightwell expands IBM and Red Hat’s proven enterprise-grade open-source model, breaking new ground beyond their traditional product portfolio. IBM already uses over 62,000 open-source software packages and possesses deep expertise in more than 10,000 of them. In technology areas such as Linux, Java, Kubernetes, Kafka, Ansible, Terraform, Flink, and Cassandra, IBM and Red Hat operate one of the industry’s most extensive commercial open-source ecosystems, consistently providing lifecycle management, validation, and patching for components within their platforms. Now, IBM and Red Hat are applying the same engineering rigor to a broader range of use cases, including standalone software libraries, language toolchains, AI frameworks, and data streaming platforms.
This model directly addresses the operational vulnerabilities enterprises face when managing independent open-source code on their own. Through the clearinghouse model, enterprises can achieve:
- Report and Remediate Vulnerabilities: Responsibly share sensitive security issues in their active software versions within a trusted middleware framework.
- Deploy Verified Patches: Receive patches optimized for production environments, covering both Red Hat products and independent community code.
- Coordinate Upstream Disclosure: Share fixes upstream in the supply chain so that open-source communities can incorporate them into long-term maintenance.
Under this model, enterprises can entrust IBM and Red Hat with critical security issues while protecting the overall open-source ecosystem through responsible upstream disclosure.
Global-Scale, AI-Powered Software Engineering Capabilities
Today, many tech companies are using AI to streamline technical staff, but IBM and Red Hat are taking a different approach, positioning technical engineering capabilities as a key strategic asset and competitive advantage.
IBM and Red Hat will assemble a global technical team of over 20,000 engineers, supplemented by leading AI capabilities. This team will cover both the upstream and enterprise environments of the open-source software supply chain, focusing on the following tasks:
- Collaborate with open-source community leaders on upstream maintenance;
- Conduct large-scale, AI-assisted vulnerability review, classification, and prioritization;
- Develop security patches, harden dependencies, and manage release engineering.
Project Lightwell aims to support government agencies in protecting digital infrastructure and critical systems while enhancing the overall resilience of the open-source software ecosystem.
For more information about Project Lightwell, please visit: https://www.ibm.com/products/lightwell
[1] Source: Worldmetrics; worldmetrics.org/opensource-statistics/
[2] Source: Anthropic; anthropic.com/research/glasswing-initial-update
AboutIBM
IBM is a leading global provider of hybrid cloud, artificial intelligence, and enterprise services, helping clients in over 175 countries derive business insights from their data, streamline business processes, reduce costs, and gain competitive advantages. More than 4,000 government and enterprise entities in critical infrastructure sectors such as financial services, telecommunications, and healthcare rely on IBM’s hybrid cloud platform and Red Hat OpenShift to achieve rapid, efficient, and secure digital transformation. IBM’s breakthrough innovations in AI, quantum computing, industry cloud solutions, and enterprise services offer our clients open and flexible choices. A long-standing commitment to corporate integrity, transparent governance, social responsibility, inclusive culture, and service excellence forms the cornerstone of IBM’s business development. For more information, please visit: https://www.ibm.com/cn-zh
About Red Hat
Red Hat is a leader in open hybrid cloud technology, providing a trusted, consistent, and comprehensive foundation for transformative IT innovation and AI applications. Red Hat’s portfolio of cloud, developer, AI, Linux, automation, and application platform technologies helps enterprises deploy any application across environments, from data centers to the edge. As a leading global provider of enterprise open-source software solutions, Red Hat actively invests in open ecosystems and communities to address future IT challenges. Through close collaboration with partners and customers, Red Hat helps them build, connect, automate, protect, and manage their IT environments, offering consulting services and award-winning training and certification programs.
IBM Media Contact