IBM and Red Hat Commit $5 Billion to Secure Open Source Supply Chains Under “Project Lightwell”

Summary

IBM and Red Hat launched Project Lightwell, a $5 billion initiative with over 20,000 engineers designed to secure open source software across enterprise supply chains. The project will establish an AI-powered enterprise clearinghouse to identify, triage, and validate vulnerabilities and patches across open source codebases, with results delivered to enterprises via commercial subscriptions. Initial participants include major financial institutions like JPMorgan Chase, Bank of America, Citi, and others.

Full text

IBM and its subsidiary Red Hat announced Project Lightwell on Thursday, a joint initiative backed by a $5 billion investment and a workforce of more than 20,000 engineers. The project is designed to address the growing operational risks facing corporate digital infrastructure by systematically securing open source software across enterprise supply chains. At the core of the initiative is the establishment of an “enterprise clearinghouse” that leverages artificial intelligence to scale software security. The system will use AI to identify, triage, prioritize, and validate vulnerabilities and fixes across open source code bases. Engineers involved in the project will focus their efforts on active upstream maintenance alongside open source community leaders, high-volume AI-assisted vulnerability reviews, and the development of secure patches and release engineering. The resulting validated patches, capabilities, and lifecycle management features will be delivered to enterprises through commercial software subscriptions. The initiative builds on IBM and Red Hat’s existing commercial open source ecosystem, which currently handles lifecycle management and validation for major enterprise platforms such as Linux, Java, Kubernetes, Kafka, Ansible, Terraform, Flink, and Cassandra. The scale of the undertaking reflects the deeply embedded nature of open source software in modern corporations; IBM itself says it currently utilizes more than 62,000 open source packages across its enterprise footprint. “Open source is the backbone of today’s digital economy and the foundation of modern AI, and we are at an inflection point in how it is built, secured, and scaled,” said Arvind Krishna, Chairman and CEO, IBM. “With Project Lightwell, IBM and Red Hat are helping define a new industry model, one that brings together AI, engineering expertise, and trusted collaboration, to secure open source software at its source and across the entire supply chain. This is about strengthening trust in the systems that power business, government, and society.” Initial participants in Project Lightwell include Bank of America, BNY, Citi, Goldman Sachs, JPMorganChase, Mastercard, Morgan Stanley, Royal Bank of Canada, State Street, Visa, and Wells Fargo.Advertisement. Scroll to continue reading. IBM acquired Red Hat for $34 billion in a deal that was announced in late 2018. Written By SecurityWeek News Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from SecurityWeek News SecurityWeek to Host AI Risk Summit August 11-12 at the Ritz-Carlton, Half Moon BayLastwall Raises $11.5 Million for Quantum-Resilient Identity PlatformWatch on Demand: Threat Detection & Incident Response Summit – All Sessions AvailableIn Other News: Industrial Router Exploitation, CISA KEV Nomination Form, Gas Station HackingOcean Emerges From Stealth With $28M for Agentic Email Security PlatformQuantum Bridge Raises $8 Million for Quantum-Safe Key Distribution SolutionVirtual Event Today: Threat Detection & Incident Response SummitIn Other News: Big Tech vs Canada Encryption Bill, Cisco’s Free AI Security Spec, Audi App Flaws Latest News Carnival Data Breach Exposed 6 Million PeopleNew BTMOB Android Malware Enables Full Device TakeoverCritical FortiClient EMS Vulnerability Exploited in Fresh AttacksNew Edamame Platform Aims to Catch AI Coding Agents Going Off the RailsGitea Vulnerability Exposed 30,000 Deployments to AttacksRaising the Cybersecurity Stakes: Ante up for the Agentic EraGoogle Unveils AI Threat Defense Platform to Fight AI-Powered CyberattacksUK Cyberspying Chief Calls AI ‘an Unstoppable Force’ and Warns About Russia Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Virtual Event: Threat Detection and Incident Response Summit On-Demand Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register Webinar: Third-Party Risk in Practice June 4, 2026 Organizations are investing heavily in third-party risk management, but breaches, delays, and blind spots continue to persist. Join this live webinar as we examine the gap between how organizations think their third-party risk programs are performing and what’s actually happening in practice. Register People on the MoveJoe Chen has become Chief Technology Officer at Trellix.Usercentrics has named Pawan Hegde as COO and Elena Ignatova as CPTO.SecureAuth has named Mark van Oppen as Chief Revenue Officer.More People On The MoveExpert Insights Raising the Cybersecurity Stakes: Ante up for the Agentic Era CISOs are now facing machine-speed attacks and asking, “How do I agent?” The industry must provide remediation at scale. (Nadir Izrael) Caught Off Guard: Securing AI After It Hits Production As enterprises rush AI projects into production, security teams are increasingly being forced into reactive mode. (Joshua Goldfarb) Cyber Resilience is the New Business Continuity Plan The organizations best prepared to face disruption are those that align security, continuity and risk management around what the business cannot afford to lose. (Steve Durbin) Enhancing Data Center Security Without Sacrificing Performance For AI data centers, where the stakes are the highest and performance constraints are the tightest, security and performance are no longer a zero-sum game. (Nadir Izrael) Is the SOC Obsolete, and We Just Haven’t Admitted It Yet? Many AI-first enterprises have already embraced sovereign architectures for general AI initiatives; cybersecurity—and the SOC—should be next. (Danelle Au) Flipboard Reddit Whatsapp Whatsapp Email

Entities