Project Lightwell is an AI-driven program that pairs frontier — scale models and tooling with 20,000 engineers and a $5

IBM and Red Hat unveiled Project Lightwell, an AI-driven initiative that aims to centralize and accelerate security fixes for open-source software used in enterprise environments. The companies plan to invest $5 billion and assemble a global organization of 20,000 engineers to deploy frontier — scale models and tooling to discover, triage, patch and backport vulnerabilities. If successful, the program could materially reduce supply — chain risk for businesses that rely on widely deployed open-source components.

Lightwell pairs automated vulnerability discovery with human engineering to increase throughput of fixes and downstream remediation for business — critical open-source components. Rather than functioning as a simple bug bounty or standalone code scanner, the initiative combines large — scale discovery, prioritization, patch development, coordinated backports and long-term lifecycle support for the specific versions companies run.

The program will not pay upstream maintainers directly. Instead, IBM and Red Hat say they will equip their own engineers with AI-powered tools to hunt for flaws, develop patches, backport fixes and work with maintainers to get changes merged and shipped. Businesses will supply information about the open-source software they run so Lightwell can focus efforts on enterprise — relevant components and deployed versions.

The announcement follows a surge in vulnerability reports that many volunteer maintainers struggle to absorb. Daniel Steinberg, the cURL maintainer, said reports are now four to five times higher than in 2024 and arriving at twice the speed of 2025. Separately, Anthropic’s Mythos Preview reportedly identified nearly 3,900 serious vulnerabilities in open-source software within weeks, underscoring the scale of the problem industry observers say traditional application — security tooling no longer addresses adequately.

If Lightwell scales as described, it could convert a trickle of manual, volunteer — led fixes into sustained, high-throughput remediation for widely deployed OSS components, including coordinated backports and lifecycle support for deployed versions. That outcome would lower risk for enterprises but also raises questions about incentives and the effects of a large corporate — led remediation force operating in upstream communities.

Several operational unknowns remain: how any subscription or service model will work in practice, how the program will coordinate with diverse upstream communities, and whether Lightwell can avoid introducing new workflow bottlenecks. IBM and Red Hat frame the effort as treating open-source risk as a first — order supply — chain problem — an experiment in coupling frontier AI with dedicated engineering to shore up critical open-source software.