Open-source security is a mess - IBM and Red Hat bet $5 billion and 20,000 engineers can fix it

PeterPhoto123 via Shutterstock

Follow ZDNET: Add america arsenic a preferred source on Google.

ZDNET's cardinal takeaways

• Lightwell is simply a immense effort to safeguard open-source software.
• IBM and Red Hat are investing successful this monolithic information initiative. 
• We don't yet cognize however this subscription-based work volition work. 

AI is simply a mixed blessing for open-source software. On the 1 hand, AI tin assistance developers programme faster and find bugs much quickly. On the different hand, maintainers are being overwhelmed by the sheer measurement of perchance superior bug reports. 

As Daniel Steinberg, laminitis and maintainer of the fashionable open-source information transportation programme cURL, precocious said, "The complaint of incoming information reports is 4 to 5 times higher than it was successful 2024 and treble the velocity of 2025." For the archetypal time, helium confessed, "I enactment much than I've done before, but the flood keeps coming." Steinberg is connected the verge of burning out. So, helium asked for much companies "to money us" truthful they could past wage much developers to administer the workload." Now, IBM and its subsidiary Red Hat person heard the call.

Also: Europe's open-source alternate to Microsoft Office and Google Docs launches June 9

Their reply is Project Lightwell, an AI‑powered inaugural they described arsenic a "first‑of‑its‑kind force" to find and hole vulnerabilities successful open-source bundle astatine an concern scale. Lightwell aims to go a de facto clearinghouse for securing the open-source components that underpin modern endeavor IT.

However, the inaugural volition not wage upstream developers. Instead, Lightwell provides IBM and Red Hat engineers with AI tools to enactment connected important, business-critical open-source projects and marque them arsenic unafraid arsenic possible. Since Anthropic's Mythos Preview exemplary has already identified astir 3,900 superior information vulnerabilities successful open-source software successful conscionable a fewer weeks, the urgent request for faster fixes is crystal clear.

To instrumentality this step, the 2 companies volition put $5 cardinal implicit the pursuing years to rotation retired frontier‑scale AI models, tooling, and a planetary engineering enactment dedicated to open-source security. This determination isn't conscionable an AI play. The companies volition besides dedicate 20,000 engineers to treating open-source hazard arsenic a first‑order proviso concatenation problem, not a inheritance attraction chore.

Also: Rust volition prevention Linux from AI, says Greg Kroah-Hartman

After all, arsenic ZDNET's ain David Gerwitz precocious pointed out, "traditional exertion information is nary longer enough." It's not adjacent adjacent to being enough. 

Boosting open-source codification information

At the bosom of Project Lightwell is simply a caller operational exemplary that bridges the spread betwixt enterprises and the upstream communities that physique the bundle they trust on. Rather than launching yet different bug bounty programme oregon code‑scanning service, IBM and Red Hat are pitching Lightwell arsenic a trusted intermediary. That is, businesses volition provender the inaugural accusation astir the open-source bundle they run. Then, Lightwell engineers volition usage AI to hunt for flaws and suggest fixes. After that, its engineers volition enactment with upstream maintainers to get patches merged and shipped.

The companies said this clearinghouse volition harvester respective functions that contiguous are fragmented crossed interior information teams, third‑party scanners, and assemblage maintainers. Those functions see large‑scale vulnerability discovery, triage and prioritization, spot development, backporting, and long‑term lifecycle enactment for the circumstantial versions enterprises really deploy. If each goes well, this attack volition alteration the trickle of manual fixes into a high‑throughput remediation pipeline that inactive respects task governance and unfastened improvement norms.

As Arvind Krishna, IBM's Chairman and CEO, said successful a statement, "With Project Lightwell, IBM and Red Hat are helping specify a caller manufacture model, 1 that brings unneurotic AI, engineering expertise, and trusted collaboration, to unafraid unfastened root bundle astatine its root and crossed the full proviso chain."

Also: Nearly fractional of cybersecurity pros privation to discontinue - here's why

Lightwell volition commencement with the Maven/Java ecosystem, which witnessed tremendous maltreatment adjacent earlier AI appeared connected the scene. The task volition past beryllium expanded crossed PyPI, npm, Go, and different important open-source codebases. 

IBM's latest AI models volition powerfulness Lightwell. These systems volition beryllium trained to scan monolithic codebases, dependency graphs, and configuration archives for imaginable vulnerabilities, past make campaigner patches that quality engineers validate earlier thing goes upstream oregon into lawsuit environments.

Also: 10 ways AI tin inflict unprecedented harm successful 2026

The companies argued that this human‑in‑the‑loop attack is indispensable if AI is to beryllium trusted with security‑critical code. Models tin aboveground patterns and issues that quality reviewers would ne'er person clip to cover, IBM said. However, last decisions astir what constitutes a harmless and acceptable hole volition stay with experienced engineers and task maintainers. In practice, Lightwell is meant to look to communities arsenic a peculiarly ample and well‑organized contributor, not arsenic an opaque automation furniture dropping unsolicited propulsion requests.

Working with, not around, upstream

For Red Hat, Project Lightwell extends a playbook honed for decades. The inaugural volition instrumentality upstream unfastened source, harden and enactment it for enterprises, and propulsion improvements backmost to the community. The quality is scope. While Red Hat's accepted exemplary has centered connected platforms specified arsenic its ain products, including Red Hat Enterprise Linux (RHEL), OpenShift, and Ansible, Lightwell volition people the sprawling agelong process of libraries, frameworks, and tools that softly underpin everything from banking systems to AI pipelines.

Also: Red Hat Desktop vs. Fedora Hummingbird: Which AI improvement Linux way is close for you?

The companies said Lightwell engineers volition record issues, suggest patches, and co‑maintain captious components alongside existing task leaders alternatively than forking oregon replacing them. When upstream maintainers disagree with a hole oregon diminution to enactment an older branch, Lightwell volition inactive beryllium capable to transportation hardened backports for its customers. But IBM and Red Hat insisted that the default way is upstream‑first, with the clearinghouse acting arsenic a span betwixt endeavor accumulation demands and assemblage merchandise cadences.

Supply concatenation hazard arsenic an accidental

At the aforesaid time, IBM and Red Hat explicitly said, "These capabilities volition beryllium offered done commercialized subscriptions, allowing enterprises to integrate unafraid patches straight into their existing bundle proviso chains with enterprise-grade validation and lifecycle management." 

These subscriptions are positioned arsenic an overlay connected existing bundle proviso chains, not a caller distro: Lightwell plugs into Continuous Integration and Continuous Deployment (CI/CD), registries, and Software Bill of Materials (SBOM) processes companies already use, delivering vetted fixes and argumentation decisions via APIs, catalogs, and integrations.

Also: Why concern architects are poised to pb the firm AI revolution

IBM's elder VP of software, ‌Rob ⁠Thomas, told Reuters, "The work volition motorboat arsenic a commercialized offering successful the adjacent 30 days." This subscription, which volition astir apt beryllium priced according to the fig of packages used, volition supply clients with a "stamp of support from the clearinghouse that their unfastened root is harmless to usage successful production."

That work is each good and good, and surely the 2 powerhouse companies volition beryllium investing a ton of wealth and merit to marque a profit, but however bash the upstream open-source developers and their businesses acceptable into this caller approach? Will this projected trusted endeavor clearinghouse go a de facto gatekeeper for large companies? If the patches are each placed successful upstream repositories, what, exactly, volition customers beryllium paying for?

Those are each bully questions, and close present determination are nary bully answers. Stay tuned.