Follow ZDNET: Add us as a preferred source on Google.
ZDNET’s key takeaways
- Lightwell represents a massive push to protect open-source software.
- IBM and Red Hat are pouring resources into this sweeping security effort.
- The exact mechanics of this paid subscription service remain unclear for now.
AI presents a double-edged sword for open-source software. While it enables developers to code more rapidly and detect issues sooner, it also floods maintainers with a relentless stream of security alerts that could involve critical flaws.
Daniel Steinberg, who created and oversees the widely-used open-source data transfer tool cUTF, recently shared his experience: “Security reports are arriving four to five times faster than they did in 2024, and twice as fast as in 2025.” He admitted that, despite working longer hours than ever, “the tide never stops.” Steinberg is approaching burnout and has appealed for increased corporate financial support so they can bring on extra developers to share the load. IBM and Red Hat have now responded to this plea.
Also: Europe’s open-source alternative to Microsoft Office and Google Docs launches June 9
Their solution is Project Lightwell, an AI-driven program they’ve called a “pioneering force” for detecting and patching security holes in open-source software on a massive scale. Lightwell is designed to serve as a central hub for fortifying the open-source elements that form the backbone of today’s corporate IT.
However, the program won’t directly compensate the original project developers. Instead, it supplies IBM and Red Hat staff with AI-assisted tools to refine and secure mission-critical open-source software. Given that Anthropic’s Mythos Preview model uncovered close to 3,900 significant security flaws in open-source code within a short timeframe, the demand for accelerated responses is unmistakable.
To make it happen, both firms plan to commit $5 billion over the coming years to deploy cutting-edge AI models, software tools, and a worldwide engineering team focused on open-source safety. This isn’t purely about AI, though—they’ll also assign 20,000 engineers to tackle open-source security as a top-tier supply chain priority, rather than a routine maintenance task.
Also: Rust will save Linux from AI, says Greg Kroah-Hartman
As ZDNET writer David Gerwitz recently emphasized, “Relying on conventional application security measures simply isn’t sufficient anymore.” It falls far short of what’s needed.
Strengthening open-source code security
Project Lightwell introduces a fresh approach that connects businesses with the upstream communities responsible for the software they depend on. Instead of creating another bug-tracking program or scanning tool, IBM and Red Hat positioned Lightwell as a reliable middleman: organizations will share details about the open-source components in use, Lightwell engineers will deploy AI to search for weaknesses and draft solutions, and then they’ll collaborate with upstream maintainers to integrate and release fixes.
The firms explained that this hub consolidates tasks currently scattered among internal IT security departments, outside scanning services, and community volunteers—from large-scale detection and severity ranking to patch creation, backporting, and ongoing support for the versions businesses actually run. If successful, this strategy transforms a slow, manual repair process into a rapid remediation workflow that still honors project leadership standards and open-source principles.
IBM Chairman and CEO Arvind Krishna stated that, “Through Project Lightwell, IBM and Red Hat are shaping a new industry standard—merging AI capabilities, technical skill, and trustworthy partnerships to safeguard open-source software at its roots and across the entire supply chain.”
Also: Nearly half of cybersecurity pros want to quit – here’s why
Lightwell will initially focus on the Maven/Java ecosystem, which has faced significant security threats even before the AI era. The scope will later grow to include PyPI, npm, Go, and other foundational codebases.
IBM’s most advanced AI systems will drive Lightwell, trained to analyze large code repositories, dependency networks, and configuration files for security risks, then draft fixes that experts review before being shared upstream or deployed.
Also: 10 ways AI can inflict unprecedented damage in 2026
The companies stressed that keeping humans involved in this process is crucial for trusting AI with sensitive security work. IBM noted that AI can highlight threats and patterns beyond what manual reviewers could practically handle, yet final choices on what qualifies as a safe and appropriate patch stay with seasoned engineers and project leaders. Essentially, Lightwell aims to integrate into communities as a major, structured contributor rather than an anonymous automated system flooding projects with unexpected code submissions.
Partnering with upstream communities
For Red Hat, Project Lightwell builds on a strategy they’ve refined over decades. The project will take upstream software, strengthen it for corporate users, and feed enhancements back to the community. What sets this apart is the breadth. Unlike Red Hat’s traditional focus on platforms like its own Red Hat Enterprise Linux (RHEL), OpenShift, and Ansible, Lightwell reaches into the vast ecosystem of libraries, frameworks, and utilities that silently support everything from financial systems to machine learning pipelines.
Also: Red Hat Desktop vs. Fedora Hummingbird: Which AI development Linux path is right for you?
The firms explained that Lightwell engineers will report issues, submit patches, and co-manage important modules with current lead developers rather than creating separate forks. Even when upstream developers reject a fix or choose not to maintain an older version, Lightwell can still provide security updates to its clients. IBM and Red Hat emphasized that the preferred approach is always upstream-first, with the hub linking enterprise production needs to community release schedules.
Turning supply chain risks into opportunity
IBM and Red Hat also made clear that, “These services will be available through commercial subscriptions, letting businesses embed verified patches straight into their current software supply chains with professional-grade quality assurance and version management.”
The subscription wraps around existing supply chains rather than replacing them—Lightwell connects to a company’s CI/CD pipelines, registries, and SBOM workflows, delivering reviewed fixes and governance decisions through APIs, directories, and integrations.
Also: Why business architects are poised to lead the corporate AI revolution
IBM Senior Vice President of Software Rob Thomas told Reuters that, “The service will debut as a paid offering within the next 30 days.” The subscription, likely structured around the number of packages a business uses, provides customers with official verification from the hub that their open-source software is production-ready.
There’s no doubt this is a sound approach—these industry giants are committing substantial resources and are entitled to generate returns. But where does this leave the original open-source creators and their operations? Could this proposed enterprise hub evolve into an unavoidable checkpoint for large corporations? And if fixes ultimately reach upstream repositories, what specifically are the paying customers getting?
These are pressing questions without clear answers yet. We’ll keep you updated.
