IBM said it is investing $5 billion in an initiative aimed at improving the security of open-source software used by enterprises. The effort, named Project Lightwell, combines human engineering resources and AI-driven tools to help companies identify, remediate and manage risks within widely used open-source components.
Project Lightwell is being positioned as a centralized clearinghouse for open-source security. According to IBM, the platform will let organizations confidentially report security flaws, receive tested fixes and make those fixes available to the wider open-source community. The service is designed to operate throughout the software life cycle - from development to production - and to allow businesses to integrate vetted security patches directly into their existing systems.
IBM and its hybrid cloud arm Red Hat have run pilots of Project Lightwell with a small group of enterprises, including Bank of America, JPMorgan Chase and Visa. Those pilot programs were intended to refine how the initiative detects and resolves vulnerabilities within complex enterprise software environments.
Rob Thomas, IBM’s senior vice president of software, told Reuters that Project Lightwell will be made available as a commercial offering within the next 30 days. He said the service will likely be sold via subscriptions priced based on the number of packages a customer uses. Thomas added that the offering will provide clients with what he described as a "stamp of approval from the clearinghouse that their open source is safe to use in production."
IBM said the initiative builds on Red Hat’s established model for securing software on its own platforms and expands that approach to cover a broader set of independent open-source components, such as libraries and AI frameworks. The company framed Project Lightwell as a mechanism to manage risk across the software supply chain, where widely used open-source code has increasingly become a target for attackers.
The announcement highlights growing concern over the security of freely available code, which powers large portions of corporate technology stacks. IBM emphasized that the combination of broad open-source usage and the increasing capabilities of AI to discover and exploit flaws creates heightened urgency for more systematic security measures.
Contextual note: The information above reflects IBM’s statements about Project Lightwell, its pilots and planned commercial launch. Details about pricing and implementation are those provided by IBM and have not been expanded beyond the company’s disclosures.