Open-source software powers the modern internet. It also harbors security holes that leave enterprises exposed. IBM and Red Hat are now betting billions of dollars and tens of thousands of engineers that artificial intelligence can change that calculus.

The two companies announced Project Lightwell, an initiative that combines AI models with human expertise to find and fix vulnerabilities across the open-source software supply chain. IBM will invest $5 billion and dedicate 20,000 engineers from Red Hat and IBM to the effort.

What Is Project Lightwell?

Project Lightwell uses AI models trained on vast datasets of code and known vulnerabilities. The system scans open-source libraries, identifies weaknesses and suggests patches. Human engineers then verify and deploy the fixes.

The goal is industrial scale. Current manual processes cannot keep up with the volume of open-source code being written and reused. IBM and Red Hat want to automate the discovery and remediation cycle to close security gaps before attackers can exploit them.

The initiative builds on years of work from both companies in enterprise open source. Red Hat already maintains one of the largest open-source software portfolios in the world. IBM brings AI expertise from its Watson research unit.

Why This Matters

Supply chain attacks targeting open-source software have become one of the most pressing cybersecurity threats. The Log4j vulnerability in 2021 showed how a flaw in a widely used library can ripple across the global economy. Companies spend billions on security but struggle to keep dependencies up to date.

Project Lightwell aims to tackle that problem at its source. By using AI to scan code proactively and automatically generate patches, the initiative could reduce the window between a vulnerability being discovered and a fix being available. This directly affects every organization that relies on open-source components.

Smaller companies and independent developers often lack the resources to audit every dependency. A centralized, AI-powered approach could provide security at scale that was previously available only to large enterprises.

AI Meets Human Oversight

The initiative does not rely on AI alone. Human engineers will review every patch before it is released. This hybrid approach addresses concerns about AI-generated code introducing new vulnerabilities or breaking functionality.

IBM and Red Hat are also committing to transparency. The project will publish its findings and patches publicly, contributing back to the open-source community. The companies hope other organizations will join the effort.

Security researchers have long called for systematic investment in open-source maintenance. Project Lightwell represents the largest coordinated push to date. Whether it can keep pace with the rapidly expanding open-source ecosystem remains to be seen, but the scale of the commitment signals a shift in how the industry approaches the problem.