IBM and Red Hat Launch $5 Billion Initiative to Secure Open-Source Software
IBM and Red Hat invest heavily in Project Lightwell to address open-source software vulnerabilities revealed by Anthropic's AI.

Key points
- IBM and Red Hat launched Project Lightwell with a $5 billion investment on June 2023.
- Anthropic's AI identified 1,596 vulnerabilities across 281 projects; only 97 were patched by May 2023.
- Project Glasswing expanded to 150 organizations involved in critical infrastructure.
- IBM collaborates with Deloitte to enhance regulatory compliance and patch management.
IBM and its subsidiary Red Hat have announced a significant $5 billion investment in Project Lightwell. The initiative aims to offer a subscription-based patching service for businesses running mission-critical systems on open-source software, ensuring they remain secure without the need for disruptive updates. This is the largest known commitment targeting open-source software security specifically, second only to Google's broader $10 billion cybersecurity initiative in 2021.
Anthropic's Claude Mythos Preview model, released in April, was a key factor in the development of Project Lightwell. This AI tool is part of Project Glasswing, a coordinated defense initiative that has now expanded to include 150 organizations. These participants span critical infrastructure sectors like power, water, healthcare, and communications. The AI-driven discovery of open-source vulnerabilities is outpacing the industry's ability to patch them, leading to concerns noted by the Cloud Security Alliance.
Anthropic has disclosed 1,596 vulnerabilities across 281 open-source projects, but only 97 have been patched, translating to a roughly 6 percent fix rate. The pace of AI-driven discovery has outstripped the capacity of human teams to address these issues within the standard 90-day disclosure window. IBM joined Project Glasswing in May, before launching Lightwell, to strengthen its product security and contribute to the open-source community.
How did the hackers get in?
No hackers are involved in this scenario. Instead, it is an AI model that has identified vulnerabilities, which are weaknesses in software that could be exploited if not patched. Anthropic's AI, part of Project Glasswing, scans open-source software for these vulnerabilities faster than human teams can fix them.
Project Lightwell seeks to bridge the gap between vulnerability discovery and patching. It identifies vulnerabilities in the specific version of open-source software an enterprise uses, then develops a fix for that version without requiring system upgrades. This is crucial for industries with strict regulatory requirements, where changing software versions could trigger lengthy compliance reviews.
IBM is launching Lightwell with 11 design partners from the banking sector, including JPMorgan Chase and Visa. Over 20,000 engineers are dedicated to this effort, utilizing tools like IBM Bob, an AI development platform, and Concert Secure Coder, which detects vulnerabilities as developers write code.
The collaboration with Deloitte aims to enhance the management of software supply chains. Deloitte will help clients map open-source components, maintain continuous software bills of materials, and ensure the proper installation of patches. This partnership also includes breach-reporting support and coordinated disclosure to software maintainers, aiming to bolster the ecosystem's security.
While some critics, like Dan Lorenc of Chainguard, question the scale of IBM's investment, others see the effort as a positive step in addressing the growing challenge of securing open-source software with AI.



