惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Scott Helme
Scott Helme
N
Netflix TechBlog - Medium
AI
AI
Security Latest
Security Latest
GbyAI
GbyAI
P
Proofpoint News Feed
Y
Y Combinator Blog
A
Arctic Wolf
G
Google Developers Blog
U
Unit 42
爱范儿
爱范儿
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
V
Vulnerabilities – Threatpost
Know Your Adversary
Know Your Adversary
Cisco Talos Blog
Cisco Talos Blog
T
Tor Project blog
C
CXSECURITY Database RSS Feed - CXSecurity.com
T
Threatpost
L
Lohrmann on Cybersecurity
C
CERT Recently Published Vulnerability Notes
C
Check Point Blog
B
Blog RSS Feed
The GitHub Blog
The GitHub Blog
Microsoft Azure Blog
Microsoft Azure Blog
博客园 - 【当耐特】
博客园 - Franky
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
C
Cisco Blogs
云风的 BLOG
云风的 BLOG
NISL@THU
NISL@THU
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Microsoft Security Blog
Microsoft Security Blog
T
The Blog of Author Tim Ferriss
阮一峰的网络日志
阮一峰的网络日志
Latest news
Latest news
L
LINUX DO - 最新话题
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
美团技术团队
WordPress大学
WordPress大学
L
LangChain Blog
Stack Overflow Blog
Stack Overflow Blog
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
酷 壳 – CoolShell
酷 壳 – CoolShell
大猫的无限游戏
大猫的无限游戏
The Hacker News
The Hacker News
Simon Willison's Weblog
Simon Willison's Weblog
V
V2EX
Project Zero
Project Zero
博客园_首页

Latest news

Why I'm recommending last year's phones over 2026 models - with one exception This powerful Gemini setting made my AI results way more personal and accurate How to qualify for Apple's education discount - and get a $499 MacBook Neo for school T-Mobile will give you a Samsung Galaxy Watch 8 for free - how to get yours Prolonged AI use can be hazardous to your health and work: 4 ways to stay safe Verizon will give you a free iPad or Apple Watch with your next iPhone - how the deal works The best laptops of 2026: Expert tested and reviewed I hid 4 Bluetooth trackers (including AirTags) to test their reliability - here's how Android rivals compared I stopped using my iPhone's hotspot after testing this 5G router - and that won't change The best Kindles in 2026: Expert recommended Does Best Buy price match? Everything to know about matching prices online and in-store The best WordPress hosting services of 2026: Expert tested and reviewed The best Apple Watch of 2026: Expert tested and reviewed The best TV screen cleaners of 2026: Expert recommended The best 50-inch TVs of 2026: Expert tested I traded my Sonos Era 300 for Denon's new home speaker - and see no reason to go back AI-powered website builders have come a long way - here's your best option in 2026 Amazon just slashed $250 off the Google Pixel 10 - and a Prime subscription isn't required I found the apps slowing down my PC - how to kill the biggest memory hogs These companies are actually upskilling their workers for AI - here's how they do it Verizon will give you Meta Ray-Bans for free with this Fios Internet deal - how to get yours I tried the new Gemini app for Mac - it has one major advantage over the web version How Google's updated AI Mode will ease your tab clutter when you search Why this MagSafe battery pack is our readers' favorite model right now - especially at its price T-Mobile will give you a Google Pixel 10a for free - plus an extra gift OpenAI's Codex Desktop can run your computer now - and has its own browser Want to build a startup that gets acquired? This founder shares 5 proven tips Google to pay $135M settlement to Android phone users - how to claim your share if you qualify Want to stand out on LinkedIn? Try this career strategist's top 3 tips for strengthening your profile I've used Dell's new XPS 16 for a week, and it's the Windows laptop to beat in 2026 You can get 50% off YouTube Premium for 1 year right now - but the deal ends soon Tidal vs. Qobuz: I tried both hi-res streaming services, and they couldn't be more different This stroller turns into a carry on-suitcase, and I recommend it for traveling parents The best small business VoIP providers of 2026: Expert tested and reviewed Protect your devices with our pick for the best antivirus software, now over 60% off MacBook Neo vs. Surface: Why spiraling RAM prices are bruising Microsoft's PC business but not Apple's I tried Google's new desktop app for Windows, and I'll never search the old way again Microsoft's Windows 11 laptop deal for students comes with a $500 bonus - what's included You can buy an LG B5 OLED for $1,500 off at Best Buy - and it comes with a free 4K TV Why Zorin OS 18.1 is simply the best Linux distro - for anyone Why Netgear just got the first FCC router ban exemption in the US Microsoft's latest Windows update now confirms if your PC is Secure Boot-protected - how it works Can this $70 Linux app make up for the lack of Photoshop? I tried it to find out 'Like handing out the blueprint to a bank vault': Why AI led one company to abandon open source iPhone charging slowly? 6 quick fixes to try before blaming your battery Roku TV vs. Fire Stick: Why I'm looking beyond streaming resolution when comparing the two AI is getting better at your job, but you have time to adjust, according to MIT The best internal communication tools of 2026: Expert tested and reviewed Half of all US employees use AI at work now - and waste almost 8 hours a week doing it The latest Google Home update brings Gemini fixes that I'm actually excited to try again This simple email trick saves me from annoying marketing spam (and it's free to do) I've been subscribed to a data removal service a month now - what I wish I knew sooner I love Sony's new Bluetooth turntable, so why do I feel so conflicted using it Is your Pixel battery draining faster lately? These 4 temporary fixes helped me You can use Linux 7.0 on these 7 distros today - here's what to expect Chrome's new 'Skills' update lets you save AI prompts now - for one-click reuse How I share audio from my Android phone to multiple earbuds (and why it's a big deal) How to use Google Messages' new Trash feature to recover texts you accidentally deleted Why the Apple Watch's 20-minute calibration test is worth your time - especially if you're data curious I tested every 'allergy-friendly' smart home gadget - these 6 actually keep the pollen out Meta is selling refurbished Ray-Bans for as low as $197 right now - but they're going fast Setting a MagSafe charger on my nightstand was the iPhone upgrade I didn't know I needed I swapped my Sony WH-1000XM6 for lower-end JBL headphones, and they still sounded great I tested ChatGPT Plus vs. Gemini Pro to see which is better - and if it's worth switching I used the 'Plus Five' rule to fix my iPhone's slow wireless charging - here's how it works I tested Artix Linux: An enjoyable systemd-free distro for experienced users (and ChromeOS speeds) I spent two years testing wind power at home - here's why solar is still my preferred source I camera-tested the Samsung Galaxy S26 Ultra with Oppo and Xiaomi - this model won it for me How I boosted my portable solar panels' power by up to 30% - 11 expert-approved tips I see why Ubuntu 26.04 is more than just a performance bump for thrill-seeking gamers France is ditching Windows for digital sovereignty - and its new Linux stack is taking shape As an Android user, this MagSafe wallet is the clearest reason why Qi2 magnets shouldn't be ignored The best Zoom alternatives in 2026: Expert tested and reviewed KDE Linux is the purest form of Plasma I've used in months - but there's a catch LG C6 vs. LG C5: Why the 2025 model is still the smarter OLED TV model buy for me How I disabled 'fast startup' on my Windows 11 laptop to stop overnight battery drain 30 years later, I returned to Enlightenment Linux to test the Elive beta - and it's much better Here's my favorite email trick for cleaning up inbox clutter - automatically The $30 Google TV stick may be the budget Chromecast successor we've been waiting for The best AR and MR glasses in 2026: Expert tested and reviewed This handy electric screwdriver is now 50% off - here's where to snag the deal This Ryobi yard essentials bundle packs a free power tool - how to get yours After trying these boomless headphones in the office, I'm feeling hopeful for the future of work tech I used this EcoFlow battery to run my 3,000-sq-ft home in a blackout - here's how it kept my AC on Microsoft's Windows Insider Program is no longer a confusing mess Forget Shokz: I tried the Suunto Spark earbuds for a month, and they've sold me on air conduction iOS 26.4 brings essential upgrades to your iPhone - including a vital security fix YouTube Premium is getting a price increase in June - but you can save $32 with one change Your router may be vulnerable to Russian hackers, FBI warns: 5 steps to take now I walked 3,000 steps with my Apple Watch, Google Pixel, and Oura Ring - this tracker was most accurate I stopped guessing which AA batteries are dead - this charging station keeps them in check for me My favorite Android Auto find is these hidden shortcuts that are highly customizable AirDrop is coming to older Samsung phones - is yours supported? How to get it early I'm no longer using Google Photos as just a cloud storage - 5 tools that elevate the app The best data removal services of 2026: Expert tested and reviewed The best Samsung TVs of 2026: Expert tested and reviewed The best mobile scanning apps of 2026: Expert tested and reviewed The best HP laptops of 2026: Expert tested and reviewed After using Lenovo's new Yoga laptop, I'm wondering if Windows makers are running out of ideas Samsung S95H vs. Samsung S95F: I compared the OLED TVs and wasn't prepared for the upset
Open-source security is a mess - IBM and Red Hat bet $5 billion and 20,000 engineers can fix it
Written by · 2026-05-30 · via Latest news
greenkeys-shutterstock-46170328
PeterPhoto123 via Shutterstock

Follow ZDNET: Add us as a preferred source on Google.


ZDNET's key takeaways

  • Lightwell is a huge effort to safeguard open-source software.
  • IBM and Red Hat are investing in this massive security initiative. 
  • We don't yet know how this subscription-based service will work. 

AI is a mixed blessing for open-source software. On the one hand, AI can help developers program faster and find bugs more quickly. On the other hand, maintainers are being overwhelmed by the sheer volume of potentially serious bug reports. 

As Daniel Steinberg, founder and maintainer of the popular open-source data transfer program cURL, recently said, "The rate of incoming security reports is four to five times higher than it was in 2024 and double the speed of 2025." For the first time, he confessed, "I work more than I've done before, but the flood keeps coming." Steinberg is on the verge of burning out. So, he asked for more companies "to fund us" so they could then pay more developers to distribute the workload." Now, IBM and its subsidiary Red Hat have heard the call.

Also: Europe's open-source alternative to Microsoft Office and Google Docs launches June 9

Their answer is Project Lightwell, an AI‑powered initiative they described as a "first‑of‑its‑kind force" to find and fix vulnerabilities in open-source software at an industrial scale. Lightwell aims to become a de facto clearinghouse for securing the open-source components that underpin modern enterprise IT.

However, the initiative will not pay upstream developers. Instead, Lightwell provides IBM and Red Hat engineers with AI tools to work on important, business-critical open-source projects and make them as secure as possible. Since Anthropic's Mythos Preview model has already identified nearly 3,900 serious security vulnerabilities in open-source software in just a few weeks, the urgent need for faster fixes is crystal clear.

To take this step, the two companies will invest $5 billion over the following years to roll out frontier‑scale AI models, tooling, and a global engineering organization dedicated to open-source security. This move isn't just an AI play. The companies will also dedicate 20,000 engineers to treating open-source risk as a first‑order supply chain problem, not a background maintenance chore.

Also: Rust will save Linux from AI, says Greg Kroah-Hartman

After all, as ZDNET's own David Gewirtz recently pointed out, "traditional application security is no longer enough." It's not even close to being enough. 

Boosting open-source code security

At the heart of Project Lightwell is a new operational model that bridges the gap between enterprises and the upstream communities that build the software they rely on. Rather than launching yet another bug bounty program or code‑scanning service, IBM and Red Hat are pitching Lightwell as a trusted intermediary. That is, businesses will feed the initiative information about the open-source software they run. Then, Lightwell engineers will use AI to hunt for flaws and propose fixes. After that, its engineers will work with upstream maintainers to get patches merged and shipped.

The companies said this clearinghouse will combine several functions that today are fragmented across internal security teams, third‑party scanners, and community maintainers. Those functions include large‑scale vulnerability discovery, triage and prioritization, patch development, backporting, and long‑term lifecycle support for the specific versions enterprises actually deploy. If all goes well, this approach will transform the trickle of manual fixes into a high‑throughput remediation pipeline that still respects project governance and open development norms.

As Arvind Krishna, IBM's Chairman and CEO, said in a statement, "With Project Lightwell, IBM and Red Hat are helping define a new industry model, one that brings together AI, engineering expertise, and trusted collaboration, to secure open source software at its source and across the entire supply chain."

Also: Nearly half of cybersecurity pros want to quit - here's why

Lightwell will start with the Maven/Java ecosystem, which witnessed enormous abuse even before AI appeared on the scene. The project will then be expanded across PyPI, npm, Go, and other important open-source codebases. 

IBM's latest AI models will power Lightwell. These systems will be trained to scan massive codebases, dependency graphs, and configuration archives for potential vulnerabilities, then generate candidate patches that human engineers validate before anything goes upstream or into customer environments.

Also: 10 ways AI can inflict unprecedented damage in 2026

The companies argued that this human‑in‑the‑loop approach is essential if AI is to be trusted with security‑critical code. Models can surface patterns and issues that human reviewers would never have time to cover, IBM said. However, final decisions about what constitutes a safe and acceptable fix will remain with experienced engineers and project maintainers. In practice, Lightwell is meant to appear to communities as a particularly large and well‑organized contributor, not as an opaque automation layer dropping unsolicited pull requests.

Working with, not around, upstream

For Red Hat, Project Lightwell extends a playbook honed for decades. The initiative will take upstream open source, harden and support it for enterprises, and push improvements back to the community. The difference is scope. While Red Hat's traditional model has centered on platforms such as its own products, including Red Hat Enterprise Linux (RHEL), OpenShift, and Ansible, Lightwell will target the sprawling long tail of libraries, frameworks, and tools that quietly underpin everything from banking systems to AI pipelines.

Also: Red Hat Desktop vs. Fedora Hummingbird: Which AI development Linux path is right for you?

The companies said Lightwell engineers will file issues, propose patches, and co‑maintain critical components alongside existing project leaders rather than forking or replacing them. When upstream maintainers disagree with a fix or decline to support an older branch, Lightwell will still be able to carry hardened backports for its customers. But IBM and Red Hat insisted that the default path is upstream‑first, with the clearinghouse acting as a bridge between enterprise production demands and community release cadences.

Supply chain risk as an opportunity

At the same time, IBM and Red Hat explicitly said, "These capabilities will be offered through commercial subscriptions, allowing enterprises to integrate secure patches directly into their existing software supply chains with enterprise-grade validation and lifecycle management." 

These subscriptions are positioned as an overlay on existing software supply chains, not a new distro: Lightwell plugs into Continuous Integration and Continuous Deployment (CI/CD), registries, and Software Bill of Materials (SBOM) processes companies already use, delivering vetted fixes and policy decisions via APIs, catalogs, and integrations.

Also: Why business architects are poised to lead the corporate AI revolution

IBM's senior VP of software, ‌Rob ⁠Thomas, told Reuters, "The service will launch as a commercial offering in the next 30 days." This subscription, which will probably be priced according to the number of packages used, will provide clients with a "stamp of approval from the clearinghouse that their open source is safe to use in production."

That service is all well and good, and certainly the two powerhouse companies will be investing a ton of money and deserve to make a profit, but how do the upstream open-source developers and their businesses fit into this new approach? Will this proposed trusted enterprise clearinghouse become a de facto gatekeeper for big companies? If the patches are all placed in upstream repositories, what, exactly, will customers be paying for?

Those are all good questions, and right now there are no good answers. Stay tuned. 

Open Source