IBM Corp. and its Red Hat subsidiary today launched an initiative called Project Lightwell to improve the security of open-source projects.

Project Lightwell is backed by a $5 billion commitment. In addition, IBM and Red Hat will assign more than 20,000 engineers to the initiative.

Red Hat, which became part of IBM through a 2019 acquisition, sells a popular Linux distribution called RHEL. Its code is publicly available, but organizations must buy a license to use it in software projects. Red Hat also develops other open-source tools that automate tasks such as configuring cloud infrastructure.

The Linux distributor has long operated a program through which its engineers find and fix vulnerabilities in its software. Project Lightwell will extend IBM’s work in that area beyond the Red Hat product portfolio to the broader open-source ecosystem. According to the company, the goal is to help enterprises remediate vulnerabilities in the open-source tools that power their software. IBM will provide access to Project Lightwell through subscriptions.

When developers integrate an open-source project into an application, they often don’t use the latest version of the component. Even when they do use the latest version, there is a risk that the component will become outdated in the future because of a lack of updates. That can create challenges if a vulnerability is discovered in the project. 

In many cases, cybersecurity patches aren’t immediately available for legacy versions of an open-source tool. Moreover, there are situations where installing a patch requires updating the affected tool to the latest release. That can necessitate significant code changes to the application in which the component is installed. 

The IBM and Red Hat engineers assigned to Project Lightwell will use artificial intelligence to find vulnerabilities in open-source projects. From there, they will develop patches and backport them to the specific open-source project versions used by customers. IBM says that the backported patches will remove the need for companies to upgrade open-source components to the latest version.

Project Lightwell will also encompass certain other initiatives. IBM and Red plan to disclose vulnerabilities discovered by their engineers to the maintainers of the affected open-source projects. They will create a “trusted intermediary framework” to facilitate such information sharing. 

“Project Lightwell, IBM and Red Hat are helping define a new industry model, one that brings together AI, engineering expertise and trusted collaboration, to secure open-source software at its source and across the entire supply chain,” said IBM Chief Executive Officer Arvind Krishna.

Project Lightwell may create more competition for software supply chain security startups such as Chainguard Inc. and Socket Inc. The former company, which raised $280 million last year, provides hardened versions of open-source projects. Socket sells tools that make it easier for developers to install open-source patches and ease certain related tasks. 

Photo: IBM