Introducing Project Lightwell
Securing the open source supply chain
Open source software underpins nearly every aspect of enterprise IT, but cutting-edge frontier models have reshaped the open source cybersecurity landscape. AI-driven vulnerability discovery is an unprecedented threat, and it demands an unprecedented solution to secure open source.
That’s why we’re launching Project Lightwell from IBM and Red Hat, a $5 billion, AI-powered, 20,000 engineer-strong, first-of-its-kind force to identify and fix open source vulnerabilities at scale.
What is Project Lightwell?
Our commitment to the future of open source in the AI era
At its core, Project Lightwell establishes an enterprise clearinghouse for open source software. It extends Red Hat’s proven model of enterprise open source maintenance far beyond our traditional product footprint.
Our customers have trusted us for decades to apply upstream fixes to our own open source products—we test, sign, and ship them, then land those patches upstream so the broader community benefits. Now, Project Lightwell extends that support beyond Red Hat® software to the full scope of open source components across the entire application ecosystem, including:
- Independent libraries
- Language toolchains
- AI frameworks
- Data streaming platforms
Customers will share security issues discovered in specific versions of software they’re running, consume Project Lightwell’s verified enterprise fixes, then rely on Red Hat for the upstream disclosure process, supporting long-term system stability.
For over two decades, Red Hat has backported security patches across thousands of packages. Project Lightwell scales this exact model across the entire open source ecosystem. We are applying the same discipline, upstream-always commitment, and engineering rigor across all active application layers.
How it works
Our engineering advantage
Many technology companies are using AI to reduce technical headcount, but through Project Lightspeed, IBM and Red Hat are taking a different approach. We’re pairing a massive engineering force with advanced automation and AI capabilities. In short, we’re positioning technical engineering capacity as a premium strategic asset and a source of market differentiation.
IBM and Red Hat will deploy a team of more than 20,000 engineers and advanced AI capabilities to operate across both upstream and enterprise environments focused on:
- Upstream maintenance alongside open source community leaders
- High-volume, AI-assisted vulnerability review, triage, and prioritization
- Secure patch development, dependency hardening, and release engineering
Customers point their existing build tools (like Artifactory, Nexus, or Maven) at Red Hat's secure registry via a one-line configuration change. Red Hat scans, backports, tests, signs, and delivers patched artifacts at the customer's pinned version. Patches are contributed upstream simultaneously.
These capabilities will be offered through commercial subscriptions, allowing enterprises to integrate secure patches directly into their existing software supply chains with enterprise-grade validation and lifecycle management.
We believe solving the future of open source security requires an understanding of community context, deep knowledge of backport compatibility, responsible disclosure practices, and upstream know-how. We’re leaning into AI for the initial data ingestion and acceleration, but relying on human technical expertise and open source credibility for the critical judgement calls.
Red Hat’s security ecosystem
Red Hat Sovereign Cloud
Build and deploy multi-tenant infrastructure with a sovereign support model designed to to mitigate extra-territorial risk and meet regulatory compliance.
Red Hat Hardened Images
A free, vendor-neutral catalog of trusted, micro-sized images created from Red Hat’s years of expertise.
Red Hat Enterprise Linux Long-Life Add-On
Get continued access to critical software security and bug fixes, including technical support for any version of Red Hat Enterprise Linux with no pre-determined end date.
Solutions to support your compliance management goals
Follow our progress
What’s next for Project Lightwell?
We’ve already started working with select early adopters. These organizations are applying Project Lightwell to real-world environments, helping shape how vulnerabilities are identified, validated, and remediated across complex, production-grade software supply chains.
We’ll use these real-world use cases to prepare Project Lightwell for a growing customer base. And we'll share our progress and insights with you as we prepare for broader adoption. You can expect to learn about our progress, customer stories, and lessons learned from building this industry-first effort to redefine the future of open source security in the AI era.
Sign up to follow our progress
Sign up below to receive the latest Project Lightwell news and insights directly to your inbox.
