Open-source security is a mess - IBM and Red Hat bet $5 billion and 20,000 engineers can fix it

2026-05-29 · Source: News and Advice on the World's Latest Innovations | ZDNET · Field: Technology & Digital — Cybersecurity & Data Privacy, Artificial Intelligence & Machine Learning, Software Development & Engineering · Depth: Intermediate, medium

Summary

IBM and Red Hat have launched Project Lightwell, an AI-powered initiative designed to identify and remediate vulnerabilities in open-source software at an industrial scale. This effort responds to the escalating volume of security reports, exemplified by cURL maintainer Daniel Steinberg's experience of a 4-5x higher rate than 2024. The companies are investing \$5 billion over several years and dedicating 20,000 engineers to treat open-source risk as a supply chain problem. Lightwell will utilize frontier-scale AI models, including those from IBM, to scan codebases and generate candidate patches, which human engineers will then validate and work with upstream maintainers to merge. Starting with the Maven/Java ecosystem, the project will expand to PyPI, npm, and Go. Lightwell aims to become a trusted intermediary, offering commercial subscriptions within 30 days to provide enterprises with vetted fixes and a "stamp of approval" for production-safe open-source components.

Key takeaway

For Directors of AI/ML or Security Engineers managing extensive open-source dependencies, IBM and Red Hat's Project Lightwell presents a significant new commercial offering. You should evaluate this subscription service, launching within 30 days, as a potential solution for integrating enterprise-grade validated patches and lifecycle management directly into your CI/CD and SBOM processes. This could transform your approach to open-source supply chain security, but carefully assess its long-term implications regarding potential vendor lock-in or gatekeeping.

Key insights

AI-powered, human-validated initiatives can secure open-source software at scale, addressing escalating vulnerability reports.

Principles

• Open-source risk is a first-order supply chain problem.
• Traditional application security is no longer sufficient.
• AI in security-critical code needs human validation.

Method

Lightwell engineers use AI to find flaws, propose fixes, then collaborate with upstream maintainers to merge patches.

In practice

• Integrate secure patches via APIs and catalogs.
• Scan codebases with AI models for vulnerabilities.
• Prioritize open-source supply chain security.

Topics

• Project Lightwell
• Open-source Security
• Software Supply Chain
• AI Security
• Vulnerability Management
• IBM Red Hat

Best for: CTO, VP of Engineering/Data, AI Architect, AI Security Engineer, Security Engineer, Director of AI/ML

Related on AIssential

• IBM and Red Hat Commit $5 Billion to Redefine the Future of Open Source in the AI Era — IBM and Red Hat's Project Lightwell secures open source software supply chains using an AI-driven clearinghouse and 20,000 engineers.
• Delve did the security compliance on LiteLLM, an AI project hit by malware — Open-source projects face significant supply chain risks, even with security certifications.
• Four AI supply-chain attacks in 50 days exposed the release pipeline red teams aren't covering — AI supply chain security gaps in release pipelines pose a greater threat than model-specific vulnerabilities.
• GitHub confirms 3,800 internal repos stolen through poisoned VS Code extension as supply chain worm hits Microsoft’s Python SDK — Chained supply chain and AI agent vulnerabilities are actively exploited, bypassing traditional security measures.
• Our response to the TanStack npm supply chain attack — Supply chain attacks targeting open-source dependencies pose a significant and evolving threat to modern software ecosystems.
• Our latest investment in open source security for the AI era — Industry leaders are investing $12.5 million and AI tools to proactively secure open source against AI-driven threats.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by News and Advice on the World's Latest Innovations | ZDNET.