How is Project Lightwell Securing Open Source?

IBM, Red Hat, and Deloitte announced on June 26, 2026, a collaboration to expand Project Lightwell, an initiative designed to help organizations secure open source software supply chains against increasingly automated cyber threats. 

“Lightwell was created to address the growing challenge of securing open source software in an AI-driven threat landscape,” said Savio Rodrigues, Vice President, Service Partners at IBM.

According to IBM, most enterprise applications combine first-party code, open source components, and commercial software, allowing a single unpatched vulnerability to create risk across multiple systems. 

Inside Project Lightwell

Project Lightwell was introduced by IBM and Red Hat in May as an enterprise clearinghouse  that combines artificial intelligence with human engineering experts to identify, validate, and remediate vulnerabilities in open source software. According to the companies, the platform is designed to help organizations integrate validated security patches into existing software supply chains while maintaining enterprise governance and compliance.

Deloitte joins the initiative as an integration collaborator. The company will contribute its secured software supply chain architecture and cyber risk services to help customers integrate Project Lightwell into existing development and security workflows.

The companies said that Project Lightwell uses AI to identify software vulnerabilities, validate potential fixes, and coordinate remediation before patches are deployed into production environments. 

The company also added that it will maintain a bench of Forward Deployed Engineers (FDEs) to support ongoing remediation and maintenance of client applications as part of its role in the collaboration. 

"Exploits don't wait for manual patching processes, and neither can enterprise response,” said Adnan Amjad, Deloitte’s US Cyber leader. “Together, we're enabling clients to operate at machine speed to identify, validate, and remediate vulnerabilities. This collaboration is about building the operational resilience needed to maintain trust across increasingly complex software ecosystems — creating systems that can withstand and neutralize risk without disrupting the business.”

"Our work with Deloitte will bring the remediation capabilities we developed with IBM with Lightwell directly to enterprise application environments. Together we will isolate, patch, and deliver the fixes, supporting the open source ecosystem while protecting the specific versions our customers depend on," says Kevin Kennedy, Vice President, Global Partner Ecosystem at Red Hat.

The collaboration builds on IBM and Red Hat's broader $5 billion commitment to Project Lightwell. The initiative is backed by more than 20,000 engineers who contribute vulnerability research, software validation, and remediation across open source ecosystems, according to IBM and Red Hat.

The companies said the initiative aims to transform software supply chain security from a fragmented, reactive process into a coordinated, evidence-based operating model. 

>

>