IBM and Red Hat announced the launch of an initiative Project Lightwell, within the framework of which the companies intend to invest 5 billion in defense of open source software and software supply chains. The project is presented as a "trusted coordination center" for identifying, verifying, and fixing vulnerabilities in open source components used by corporate customers.
Substance Project Lightwell — extend Red Hat's established model of corporate open source support beyond its own products. While the company previously tested, signed, delivered, and sent patches upstream primarily for components of its own platforms, they now want to apply this approach to a broader set of dependencies: independent libraries, language toolchains, AI frameworks, and streaming data processing platforms.
IBM and Red Hat plan to allow enterprise customers to report security issues found in specific versions of their software, receive verified fixes, and integrate them into their existing build and delivery chains. Red Hat specifically states that customers will be able to submit their build tools, including Artifactory, Nexus, or Maven, to Red Hat's secure registry; the company will then scan, backport, test, sign, and deliver fixed artifacts for the assigned package versions.
Project Lightwell will be offered as commercial subscription. Reuters with reference A statement from IBM Software Senior Vice President Rob Thomas states that the service is expected to become commercially available "within the next 30 days," with pricing likely based on the number of packages used. According to IBM, clients will be able to receive a form of clearinghouse assurance that their open source components are safe for production use.
The project has announced the participation of more than 20 thousand engineers IBM and Red Hat, as well as the use of AI for mass vulnerability analysis, triage, prioritization, and patch validation. Red Hat emphasizes that AI is viewed as a tool for accelerating initial data processing, while critical decisions should remain with engineers who understand the context of upstream development, backport compatibility, and responsible vulnerability disclosure procedures.
The first participants in Project Lightwell were large financial institutions, including Bank of America, BNY, Citi, Goldman Sachs, JPMorganChase, Mastercard, Morgan Stanley, Royal Bank of Canada, State Street, Visa and Wells FargoWith these implementations, IBM and Red Hat intend to practice processes for identifying, verifying, and remediating vulnerabilities in complex software supply chains.
IBM separately emphasizes the scale of the problem: the company itself uses more 62 thousand open source packages and claims deep expertise in more than Xnumx to thousands of them. Examples of areas where IBM and Red Hat have already accumulated expertise include Linux, Java, Kubernetes, Kafka, Ansible, Terraform, Flink and Cassandra.
Project Lightwell essentially looks like an attempt to turn the maintenance and verification of open source dependencies into a standalone corporate product. A key question for the community will be how quickly fixes will truly be pushed upstream, rather than remaining within the paid IBM/Red Hat framework. In the official project description, the companies promise to simultaneously deliver verified fixes to clients and contribute patches to open source projects through a responsible disclosure process.
Source: linux.org.ru
