Open source gets a security bill

IBM and Red Hat have announced Project Lightwell, a major initiative to make open source safer in enterprise environments. The figure that commands attention is $5 billion. But the most important thing is not the number alone — it is that IBM is trying to turn open source security into an industrial service.

IBM describes Lightwell as a trusted enterprise clearinghouse for open source, backed by frontier AI capabilities and more than 20,000 engineers. The goal is to identify, validate, test, and fix vulnerabilities at a far greater scale than individual organizations can typically manage.

Open source won the infrastructure. Now the security work is catching up — in enterprise format.

Why AI makes the problem bigger

AI is accelerating the pace of software development. Code agents can create pull requests, suggest packages, update dependencies, and generate infrastructure code faster than teams can read everything manually. As a result, supply chain risk is no longer a background concern — it is a daily control challenge.

IBM says Project Lightwell builds on Red Hat's enterprise open source model but extends it to a broader ecosystem of independent components, libraries, and AI frameworks. IBM itself states that the company uses more than 62,000 open source packages and has deep expertise in more than 10,000 of them.

$5 billion
20,000+ engineers
62,000+ packages at IBM
10,000+ with deep expertise
IBM and Red Hat Bet $5 Billion on Open Source Security - Bilde 1

This is also a business model

Project Lightwell is not pure philanthropy. IBM is positioning it as an enterprise model for validation, patching, and lifecycle management. That means open source security is being packaged as a vendor commitment, not merely a community effort.

That may provoke parts of the open source community, but it addresses a real problem. Banks, government agencies, healthcare organizations, and large industrial companies need more than a GitHub warning and an overworked platform developer. They need traceable patches, risk classification, legal certainty, and a vendor that can be held accountable.

Banks are not accidental early adopters

IBM points to early collaborations in the finance and banking sector. That makes sense. Finance is heavily regulated, deeply dependent on software supply chains, and accustomed to security that must be documented, not merely promised.

For Norway, the parallel is clear: banks, payment operators, energy companies, the public sector, and healthcare will not be able to accept AI-accelerated code production without better control over dependencies.

The faster AI writes code, the more important it becomes to know where that code comes from.

Conclusion

Project Lightwell turns open source security into a major enterprise category. It is about time. AI makes vulnerability hunting faster, but also makes software development more chaotic. Norwegian organizations should treat this as a reminder: open source is free to download, but not free to secure.