IBM betting $5B it can fix bugs that Anthropic AI has found!
DarkReading.com reported that “IBM and Red Hat assign 20,000 engineers to the new Project Lightwell service as Anthropic's Mythos findings ignite debate over how to secure the open-source software supply chain.” The July 2, 2026 article entitled " Anthropic's AI Finds Bugs. IBM Bets $5B It Can Fix Them” (https://www.darkreading.com/vulnerabilities-threats/anthropic-s-ai-finds-bugs-ibm-bets-5b-it-can-fix-them-) included these comments:
Red Hat and its parent IBM have committed an eye-popping $5 billion to Project Lightwell, a new subscription-based patching service for enterprises running business-critical systems that can't risk the disruption of updating open-source software in production. It is the largest known commitment specifically targeting open-source software supply chain security — dwarfed only by Google's broader $10 billion cybersecurity pledge in 2021, which also covered zero-trust and workforce training.
IBM pointed to the initial April release of Anthropic's Claude Mythos Preview model as a driver for Lightwell. Anthropic's Project Glasswing — a coordinated defense initiative launched in April with 50 partners, including AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA and Palo Alto Networks — uses Mythos to scan open-source software.
Days after the IBM Lightwell launch, Anthropic announced that the Glasswing partnership has expanded to 150 organizations, including those that supply critical infrastructure covering industries such as power, water, healthcare, communications and hardware.
At the same time, the Cloud Security Alliance published a research note stressing the need for collaboration on Project Glasswing, because AI-driven discovery of open-source vulnerabilities is outpacing the ability to patch them.
The report noted that as of late May, Anthropic had disclosed 1,596 vetted vulnerabilities to maintainers across 281 projects, and only 97 had been patched — a fix rate of roughly 6 percent. The standard 90-day coordinated disclosure window, the CSA noted, was designed for human-speed discovery, not for an AI model capable of scanning 1,000 codebases in a single month.
Anthropic emphasized that several maintainers are now severely capacity-constrained, and some have asked the company to slow its disclosure rate because they simply can't keep up. According to Anthropic, the average time to patch a high- or critical-severity bug disclosed through Glasswing is two weeks.
IBM itself joined Anthropic’s Project Glasswing on May 19 — before the Lightwell launch — committing to hardening its own products and contributing fixes back to open-source projects through coordinated disclosure. “The collaboration makes the entire ecosystem stronger," Rob Thomas, IBM's senior vice president of software and chief commercial officer, said in a statement.
Anyone surprised?