IBM has committed $5 billion to secure open source software through a new Project Lightwell initiative that deploys engineers and AI tools to help enterprises manage vulnerabilities across software supply chains, the company said on Thursday.

The initiative, called Project Lightwell, is designed as a clearinghouse for open source security aimed at improving risk management across the software supply chain. Open source software underpins much of modern enterprise infrastructure, used widely across financial services and technology systems.

The model will combine a trusted intermediary hub with AI systems to identify vulnerabilities, validate fixes and distribute patches across enterprise environments, reflecting growing concern that advances in artificial intelligence are accelerating exploitation of open source code. Security researchers have warned that automated tools are reducing the time required to discover and exploit flaws in widely used codebases.

Arvind Krishna, chairman and chief executive at IBM, said: “Open source is the backbone of today’s digital economy and the foundation of modern AI, and we are at an inflection point in how it is built, secured, and scaled. With Project Lightwell, IBM and Red Hat are helping define a new industry model, one that brings together AI, engineering expertise, and trusted collaboration, to secure open source software at its source and across the entire supply chain.”

IBM and its Red Hat unit have already trialled the system with banks and payment firms including Bank of America, JPMorgan Chase and Visa, aiming to refine how vulnerabilities are detected and resolved across complex enterprise systems. Early participants also include Goldman Sachs, Mastercard and Morgan Stanley, according to IBM.

Rob Thomas, senior vice president of software at IBM, told Reuters that the service will launch as a commercial offering within 30 days and provide a “stamp of approval” for enterprise use of open source software.

IBM said the initiative will be supported by more than 20,000 engineers working alongside AI systems, extending its traditional open source security approach beyond its own platforms to cover independent libraries and AI frameworks. The approach extends Red Hat’s existing enterprise open source security work into independent software components, aiming to standardise validation and patching across development and production environments.

Project Lightwell is set to launch as a commercial service within the next 30 days, positioning IBM to compete in a growing market for software supply chain security tools. IBM indicated the service will be offered via subscription pricing linked to the number of software packages used, with a focus on enterprise deployment.

---