# Open-source security is a mess - IBM and Red Hat bet $5 billion and 20,000 engineers can fix it > Source: > Published: 2026-05-29 16:26:00+00:00 # Open-source security is a mess - IBM and Red Hat bet $5 billion and 20,000 engineers can fix it *Follow ZDNET: *[Add us as a preferred source](https://cc.zdnet.com/v1/otc/00hQi47eqnEWQ6T9d4QLBUc?element=BODY&element_label=Add+us+as+a+preferred+source&module=LINK&object_type=text-link&object_uuid=4100a549-4e39-4272-be5c-6f4808fffd77&position=1&template=article&track_code=__COM_CLICK_ID__&url=https%3A%2F%2Fwww.google.com%2Fpreferences%2Fsource%3Fq%3Dzdnet.com&view_instance_uuid=616e5cbf-aed8-4f1f-8244-6c43b68f46cd&split_test_identifier=deals_module&split_test_variant=test2&object_version=b7216f40-2d88-4b6d-b369-d3d12a28b4da)* on Google.* ### ZDNET's key takeaways - Lightwell is a huge effort to safeguard open-source software. - IBM and Red Hat are investing in this massive security initiative. - We don't yet know how this subscription-based service will work. [AI is a mixed blessing for open-source software](https://www.zdnet.com/article/ai-curse-and-blessing-to-open-source-software-developers/). On the one hand, AI can help developers program faster and find bugs more quickly. On the other hand, maintainers are being overwhelmed by the sheer volume of potentially serious bug reports. As Daniel Steinberg, founder and maintainer of the popular open-source data transfer program [cURL](https://curl.se/), recently said, "The rate of [incoming security reports is four to five times higher than it was in 2024](https://daniel.haxx.se/blog/2026/05/26/the-pressure/) and double the speed of 2025." For the first time, he confessed, "I work more than I've done before, but the flood keeps coming." Steinberg is on the verge of burning out. So, he asked for more companies "to fund us" so they could then pay more developers to distribute the workload." Now, [IBM](https://www.ibm.com/us-en) and its subsidiary [Red Hat](https://www.redhat.com/en) have heard the call. **Also: Europe's open-source alternative to Microsoft Office and Google Docs launches June 9** Their answer is [Project Lightwell](https://www.ibm.com/products/lightwell), an AI‑powered initiative they described as a "first‑of‑its‑kind force" to find and fix vulnerabilities in open-source software at an industrial scale. Lightwell aims to become a de facto clearinghouse for securing the open-source components that underpin modern enterprise IT. However, the initiative will not pay upstream developers. Instead, Lightwell provides IBM and Red Hat engineers with AI tools to work on important, business-critical open-source projects and make them as secure as possible. Since Anthropic's [Mythos Preview model has already identified nearly 3,900 serious security vulnerabilities in open-source software](https://www.ibm.com/products/lightwell) in just a few weeks, the urgent need for faster fixes is crystal clear. To take this step, the two companies will invest $5 billion over the following years to roll out frontier‑scale AI models, tooling, and a global engineering organization dedicated to open-source security. This move isn't just an AI play. The companies will also dedicate 20,000 engineers to treating open-source risk as a first‑order supply chain problem, not a background maintenance chore. **Also: Rust will save Linux from AI, says Greg Kroah-Hartman** After all, as ZDNET's own David Gerwitz recently pointed out, "[traditional application security is no longer enough.](https://www.zdnet.com/article/the-patching-treadmill-why-traditional-application-security-is-no-longer-enough/)" It's not even close to being enough. ## Boosting open-source code security At the heart of Project Lightwell is a new operational model that bridges the gap between enterprises and the upstream communities that build the software they rely on. Rather than launching yet another bug bounty program or code‑scanning service, IBM and Red Hat are pitching Lightwell as a trusted intermediary. That is, businesses will feed the initiative information about the open-source software they run. Then, Lightwell engineers will use AI to hunt for flaws and propose fixes. After that, its engineers will work with upstream maintainers to get patches merged and shipped. The companies said this clearinghouse will combine several functions that today are fragmented across internal security teams, third‑party scanners, and community maintainers. Those functions include large‑scale vulnerability discovery, triage and prioritization, patch development, backporting, and long‑term lifecycle support for the specific versions enterprises actually deploy. If all goes well, this approach will transform the trickle of manual fixes into a high‑throughput remediation pipeline that still respects project governance and open development norms. As Arvind Krishna, IBM's Chairman and CEO, said in a statement, "With Project Lightwell, [IBM and Red Hat are helping define a new industry model,](https://newsroom.ibm.com/2026-05-28-ibm-and-red-hat-commit-5-billion-to-redefine-the-future-of-open-source-in-the-ai-era) one that brings together AI, engineering expertise, and trusted collaboration, to secure open source software at its source and across the entire supply chain." **Also: Nearly half of cybersecurity pros want to quit - here's why** Lightwell will start with the Maven/Java ecosystem, which witnessed enormous abuse even before AI appeared on the scene. The project will then be expanded across PyPI, npm, Go, and other important open-source codebases. IBM's latest AI models will power Lightwell. These systems will be trained to scan massive codebases, dependency graphs, and configuration archives for potential vulnerabilities, then generate candidate patches that human engineers validate before anything goes upstream or into customer environments. **Also: 10 ways AI can inflict unprecedented damage in 2026** The companies argued that this human‑in‑the‑loop approach is essential if AI is to be trusted with security‑critical code. Models can surface patterns and issues that human reviewers would never have time to cover, IBM said. However, final decisions about what constitutes a safe and acceptable fix will remain with experienced engineers and project maintainers. In practice, Lightwell is meant to appear to communities as a particularly large and well‑organized contributor, not as an opaque automation layer dropping unsolicited pull requests. ## Working with, not around, upstream For Red Hat, Project Lightwell extends a playbook honed for decades. The initiative will take upstream open source, harden and support it for enterprises, and push improvements back to the community. The difference is scope. While Red Hat's traditional model has centered on platforms such as its own products, including Red Hat Enterprise Linux (RHEL), OpenShift, and Ansible, Lightwell will target the sprawling long tail of libraries, frameworks, and tools that quietly underpin everything from banking systems to AI pipelines. **Also: Red Hat Desktop vs. Fedora Hummingbird: Which AI development Linux path is right for you?** The companies said Lightwell engineers will file issues, propose patches, and co‑maintain critical components alongside existing project leaders rather than forking or replacing them. When upstream maintainers disagree with a fix or decline to support an older branch, Lightwell will still be able to carry hardened backports for its customers. But IBM and Red Hat insisted that the default path is upstream‑first, with the clearinghouse acting as a bridge between enterprise production demands and community release cadences. ## Supply chain risk as an opportunity At the same time, IBM and Red Hat explicitly said, "These capabilities will be offered through commercial subscriptions, allowing enterprises to integrate secure patches directly into their existing software supply chains with enterprise-grade validation and lifecycle management." These subscriptions are positioned as an overlay on existing software supply chains, not a new distro: Lightwell plugs into Continuous Integration and Continuous Deployment (CI/CD), registries, and Software Bill of Materials (SBOM) processes companies already use, delivering vetted fixes and policy decisions via APIs, catalogs, and integrations. **Also: Why business architects are poised to lead the corporate AI revolution** IBM's senior VP of software, Rob Thomas, told Reuters, "[The service will launch as a commercial offering](https://www.reuters.com/legal/transactional/ibm-commits-5-billion-secure-open-source-software-2026-05-28/) in the next 30 days." This subscription, which will probably be priced according to the number of packages used, will provide clients with a "stamp of approval from the clearinghouse that their open source is safe to use in production." That service is all well and good, and certainly the two powerhouse companies will be investing a ton of money and deserve to make a profit, but how do the upstream open-source developers and their businesses fit into this new approach? Will this proposed trusted enterprise clearinghouse become a de facto gatekeeper for big companies? If the patches are all placed in upstream repositories, what, exactly, will customers be paying for? Those are all good questions, and right now there are no good answers. Stay tuned. #### Open Source [Editorial standards](/editorial-guidelines/)