IBM and Red Hat: $5 billion for more secure open-source software

IBM and Red Hat plan to invest 5 billion US dollars in the expansion and security of open-source software for AI. The core of the initiative, codenamed Project Lightwell, is a “Trusted Open Source Security Clearinghouse” that aims to use AI to detect and fix security vulnerabilities in open-source components more quickly.

The clearinghouse is intended to serve as a central point of contact for companies to identify and validate vulnerabilities in open-source software throughout the entire software supply chain. Clearinghouse services will be offered via commercial subscriptions. For this service, IBM and Red Hat will combine new AI-powered security methods with a global network of more than 20,000 experts.

AI to find security vulnerabilities in open source faster

According to IBM and Red Hat, Project Lightwell is particularly aimed at companies that use large amounts of open-source components. Modern enterprise applications and AI systems are often based on thousands of libraries, frameworks, and tools from open-source projects. Vulnerabilities in individual components can therefore have far-reaching consequences – as seen with the Log4j zero-day vulnerability in 2021 or the xz backdoor in 2024.

According to the companies, the clearinghouse will identify security problems not just in finished products, but already in the underlying open-source building blocks and development tools. IBM and Red Hat mention libraries, language toolchains, AI frameworks, and data platforms, among others. The goal is to fix security problems “at its source.”

IBM points to experience from its own security initiatives and insights from projects like Anthropic's Project Glasswing or OpenAI's Trust Access for Cyber. The companies intend to use so-called agentic AI methods. In these methods, AI systems analyze security problems largely automatically and initiate remediation measures independently.

In addition to the investments, IBM particularly emphasizes the scope of the development effort. More than 20,000 specialists worldwide are to be involved in Project Lightwell. The company speaks of “AI-powered engineering at global scale.”

According to IBM, early partners and pilot customers include several major financial companies, including Bank of America, BNY, Citi, Goldman Sachs, JPMorganChase, Mastercard, Morgan Stanley, Royal Bank of Canada, State Street, Visa, and Wells Fargo. The experiences of these early adopters are to be incorporated into the development of the clearinghouse.

Focus on open source and hybrid infrastructures

IBM and Red Hat describe open source as the foundation of modern AI and enterprise infrastructures. Both companies point to the growing importance of secure and trustworthy open-source software for AI applications and hybrid cloud environments. In this context, digital sovereignty and the security of the software supply chain are also central.

The companies also mention AI models, tools for developing and operating AI applications, and technologies for hybrid cloud environments as further focus areas. Hybrid cloud refers to the operation of applications across multiple infrastructure types, for example, in one's own data center and in parallel in the public cloud.

IBM and Red Hat have not yet announced further products or a detailed breakdown of the investment sum. IBM acquired Red Hat in 2019 and has since pursued a strategy centered around open source and hybrid IT infrastructures.

(fo)