AI is a mixed blessing for open-source software. On the one hand, AI can help developers program faster and find bugs more quickly. On the other hand, maintainers are being overwhelmed by the sheer volume of potentially serious bug reports.

As Daniel Steinberg, founder and maintainer of the popular open-source data transfer program cURL, recently said, "The rate of incoming security reports is four to five times higher than it was in 2024 and double the speed of 2025." For the first time, he confessed, "I work more than I've done before, but the flood keeps coming." Steinberg is on the verge of burning out. So, he asked for more companies "to fund us" so they could then pay more developers to distribute the workload." Now, IBM and its subsidiary Red Hat have heard the call.

Also: Europe's open-source alternative to Microsoft Office and Google Docs launches June 9

Their answer is Project Lightwell, an AI‑powered initiative they described as a "first‑of‑its‑kind force" to find and fix vulnerabilities in open-source software at an industrial scale. Lightwell aims to become a de facto clearinghouse for securing the open-source components that underpin modern enterprise IT.

However, the initiative will not pay upstream developers. Instead, Lightwell provides IBM and Red Hat engineers with AI tools to work on important, business-critical open-source projects and make them as secure as possible. Since Anthropic's Mythos Preview model has already identified nearly 3,900 serious security vulnerabilities in open-source software in just a few weeks, the urgent need for faster fixes is crystal clear.

To take this step, the two companies will invest $5 billion over the following years to roll out frontier‑scale AI models, tooling, and a global engineering organization dedicated to open-source security. This move isn't just an AI play. The companies will also dedicate 20,000 engineers to treating open-source risk as a first‑order supply chain problem, not a background maintenance chore.