IBM, Red Hat pledge $5B for open source AI security

IBM and Red Hat are launching Project Lightwell, a $5 billion effort to secure open source software with AI.

IBM and Red Hat said on May 28, 2026, they will invest $5 billion in Project Lightwell, a program aimed at securing open source software across enterprise supply chains. The plan pairs frontier AI tools with more than 20,000 engineers and a new enterprise clearinghouse for vulnerability response.

What changed

Project Lightwell is designed as a trusted clearinghouse for open source security work. IBM says enterprises will be able to report sensitive issues through an intermediary, get validated patches for production systems, and push fixes upstream so communities can fold them into long-term maintenance.

The companies say the service will cover both Red Hat products and independent community code, including libraries, language toolchains, AI frameworks, and data streaming platforms. IBM says it already uses more than 62,000 open source packages and has deep expertise in over 10,000 of them, which it plans to extend into a broader commercial model.

• AI-assisted vulnerability review, triage, and prioritization
• Secure patch development and dependency hardening
• Release engineering for enterprise environments
• Commercial subscriptions for validated fixes and lifecycle management

IBM also named several early adopters already testing the approach, including Bank of America, BNY, Citi, Goldman Sachs, JPMorganChase, Mastercard, Morgan Stanley, Royal Bank of Canada, State Street, Visa, and Wells Fargo. Their feedback will shape how the system identifies, validates, and remediates issues at scale.

Why it matters

Open source now underpins most enterprise infrastructure, but AI tools are also making it easier to find and exploit flaws. IBM is pitching Project Lightwell as a way to give companies a faster path from bug discovery to trusted patching without forcing them to build that security pipeline alone.

For developers, the pitch is less about a new product and more about a new operating model: upstream maintenance, patch validation, and supply chain security wrapped into one paid service. For the market, the move turns open source security into a larger enterprise buying category.

IBM CEO Arvind Krishna framed the effort as a response to an inflection point in how open source is built and secured. The core question now is whether enterprises will treat this as a one-off security service or as the template for how critical open source gets maintained at scale.