IBM & Red Hat launch £5bn open-source security plan

IBM and Red Hat have launched Project Lightwell with a USD $5 billion commitment aimed at securing open-source software used by large organisations.

The initiative combines AI systems with a team of more than 20,000 engineers to identify vulnerabilities, test fixes and deliver patches for software used across enterprise environments. It is designed to cover the path from upstream open-source development to production systems.

At the centre of the plan is what the companies describe as a trusted clearinghouse for open-source security issues. It is intended to act as an intermediary where enterprise users can report sensitive vulnerabilities in the software versions they actively run, receive validated patches and coordinate disclosure of fixes back to upstream projects.

The service will be offered through commercial subscriptions, allowing customers to integrate patches into existing software supply chains while relying on IBM and Red Hat to validate and manage updates over time.

Open-source software now sits at the core of corporate technology stacks, and the companies pointed to its broad reach across large businesses, citing an estimate that more than 90% of Fortune 500 companies rely on it.

They also framed the launch as a response to a threat landscape increasingly shaped by AI. Newer AI models, they said, are making it easier to find and exploit software weaknesses, increasing pressure on companies that depend on open-source components maintained by dispersed communities.

IBM and Red Hat said they have already begun working with a group of early adopters drawn largely from the financial sector. Those organisations include Bank of America, BNY, Citi, Goldman Sachs, JPMorganChase, Mastercard, Morgan Stanley, Royal Bank of Canada, State Street, Visa and Wells Fargo.

The involvement of large banks and payment groups suggests the first use cases are likely to focus on critical systems with high regulatory and operational demands. Financial institutions are among the biggest users of open-source software, but they also face strict requirements around patching, resilience and third-party risk management.

How it works

The clearinghouse model is designed to address a common problem for enterprise technology teams: the gap between discovering a flaw in open-source code and obtaining a fix suitable for production deployment. In many cases, companies rely on community projects that may not provide a patch on a timetable that matches corporate risk expectations.

Under Project Lightwell, customers would be able to share vulnerability details within a controlled framework, obtain patches tuned for production environments and support disclosure upstream so maintainers can fold the fixes into longer-term releases. The approach extends beyond Red Hat products to include independent libraries, language toolchains, AI frameworks and data streaming platforms.

That broader scope matters because many of the most widely used open-source components in enterprise environments sit outside formal vendor support arrangements. Companies often assemble software from thousands of packages, dependencies and libraries, some of which are maintained by small teams or volunteers.

IBM said it already uses more than 62,000 open-source packages and has deep expertise in more than 10,000. It also highlighted its work across Linux, Java, Kubernetes, Kafka, Ansible, Terraform, Flink and Cassandra as evidence of the engineering base it plans to apply to the project.

Security focus

Project Lightwell arrives as governments and major businesses pay closer attention to software supply-chain security. Open-source code has long provided the building blocks of digital infrastructure, but recent years have shown how vulnerabilities in small, widely distributed components can cascade across industries.

IBM and Red Hat said the project draws on lessons from other recent efforts in AI and cyber security, including Anthropic's Project Glasswing and OpenAI's Trust Access for Cyber. They also said the initiative would use IBM security methods based on autonomous or semi-autonomous AI agents to help review code, prioritise vulnerabilities and support patch development.

The companies stressed that they are expanding technical staffing rather than cutting it. That sets the programme apart from parts of the technology sector where AI investment has been coupled with pressure to reduce engineering headcount.

"Open source is the backbone of today's digital economy and the foundation of modern AI, and we are at an inflection point in how it is built, secured, and scaled," said Arvind Krishna, Chairman and CEO, IBM.

"With Project Lightwell, IBM and Red Hat are helping define a new industry model, one that brings together AI, engineering expertise, and trusted collaboration, to secure open-source software at its source and across the entire supply chain. This is about strengthening trust in the systems that power business, government, and society," said Krishna.