IBM has committed $5 billion to Project Lightwell, a joint initiative with Red Hat focused on open-source software security.The initiative will involve more than 20,000 engineers and AI tools to identify and fix vulnerabilities in open-source software used in corporate technology environments.IBM senior vice president of software Rob Thomas told Reuters that the service is expected to launch as a commercial offering in 30 days. He said it will likely be sold through subscriptions based on the number of software packages a company uses.The service will verify whether specific open-source packages are safe for production use. Thomas described it as a “stamp of approval” from the clearinghouse.IBM and Red Hat have piloted Project Lightwell with companies including Bank of America, JPMorgan Chase, and Visa. Other initial participants include BNY, Citi, Goldman Sachs, Mastercard, and Morgan Stanley. Royal Bank of Canada, State Street, and Wells Fargo are also involved.AI will be used to identify and triage vulnerabilities in open-source code bases to prioritise and validatie fixes. Engineers working on the project will handle upstream maintenance, patch development, and release engineering.AI vulnerability reviewIBM said more than 90% of Fortune 500 companies rely on open-source software, while IBM itself uses more than 62,000 open-source packages. IBM estimated that publicly disclosed software vulnerabilities could reach up to 59,000 by 2026, citing CVE.org data.IBM cited Anthropic’s recent Project Glasswing work, saying its Mythos Preview model identified nearly 3,900 high- or critical-severity vulnerabilities in open-source software. Anthropic said 1,752 high- or critical-rated findings had been assessed. Among those assessed findings, Anthropic said 90.6% were valid true positives, while 62.4% were confirmed as high- or critical-severity.Patch deliveryThe initiative builds on IBM and Red Hat’s existing work around commercial open-source software. That includes lifecycle management and validation for platforms like Linux, Java, and Kubernetes. IBM also named Kafka, Ansible, Terraform, Flink, and Cassandra.Project Lightwell covers software from development to production. IBM said enterprises will be able to report sensitive security issues and receive validated patches for production environments. They will also be able to coordinate fixes with upstream open-source communities.IBM said Project Lightwell can use dependency manifests, like pom.xml, to identify affected components. The company said patched artifacts can then be delivered to repositories controlled by enterprise users, without requiring access to application source code.CISA describes an SBOM as a formal record of the components and supply chain relationships used to build software. Transitive dependencies are packages pulled in by other packages.A 2026 study on SBOM-based software composition analysis found that hidden dependencies and component variants can cause inconsistent vulnerability reporting in scanners.IBM said the service can also backport fixes to dependency versions already tested and deployed in production. Backporting applies a fix to an older software version not requiring a move to a newer package release.Beyond Red Hat platformsIBM said Project Lightwell will cover open-source components beyond Red Hat’s own platforms, including independent libraries and language toolchains. AI frameworks and data streaming platforms are also included.IBM linked Project Lightwell to wider efforts around digital infrastructure security. The company did not specify any government contracts or public-sector deployments tied to the initiative.(Photo by Growtika)See also: Microsoft moves engineers from Claude Code to GitHub Copilot CLIWant to dive deeper into the tools and frameworks shaping modern development? Check out the AI & Big Data Expo, taking place in Amsterdam, California, and London. Explore cutting-edge sessions on machine learning, data pipelines, and next-gen AI applications. The event is part of TechEx and co-located with other leading technology events. Click here for more information.DeveloperTech News is powered by TechForge Media. Explore other upcoming enterprise technology events and webinars here.