Open-source security is a mess - IBM and Red Hat bet $5 billion and 20,000 engineers can fix it

Business Home Business Enterprise Software Open-source security is a mess - IBM and Red Hat bet $5 billion and 20,000 engineers can fix it Project Lightwell is an AI‑powered initiative to find and fix vulnerabilities in open-source software at an industrial scale. Here's what we know so far. Written by Steven Vaughan-Nichols, Senior Contributing Editor Senior Contributing Editor May 29, 2026 at 9:26 a.m. PT PeterPhoto123 via Shutterstock Follow ZDNET:  Add us as a preferred source  on Google. ZDNET's key takeaways Lightwell is a huge effort to safeguard open-source software. IBM and Red Hat are investing in this massive security initiative.  We don't yet know how this subscription-based service will work.  AI is a mixed blessing for open-source software . On the one hand, AI can help developers program faster and find bugs more quickly. On the other hand, maintainers are being overwhelmed by the sheer volume of potentially serious bug reports.  As Daniel Steinberg, founder and maintainer of the popular open-source data transfer program cURL , recently said, "The rate of incoming security reports is four to five times higher than it was in 2024 and double the speed of 2025." For the first time, he confessed, "I work more than I've done before, but the flood keeps coming." Steinberg is on the verge of burning out. So, he asked for more companies "to fund us" so they could then pay more developers to distribute the workload." Now, IBM and its subsidiary Red Hat have heard the call. Also: Europe's open-source alternative to Microsoft Office and Google Docs launches June 9 Their answer is Project Lightwell , an AI‑powered initiative they described as a "first‑of‑its‑kind force" to find and fix vulnerabilities in open-source software at an industrial scale. Lightwell aims to become a de facto clearinghouse for securing the open-source component