Red Hat has argued that open source remains the safest base for enterprise software, even as a series of high-profile AI-era vulnerabilities has sharpened concern over the security of widely used code. In a blog post, the company said the real problem is not that open source has become inherently dangerous, but that the speed at which flaws are being found and exploited now outpaces many organisations’ ability to respond.
That warning lands against a backdrop of mounting evid...
Continue Reading This Article
Enjoy this article as well as all of our content, including reports, news, tips and more.
By registering or signing into your SRM Today account, you agree to SRM Today's Terms of Use and consent to the processing of your personal information as described in our Privacy Policy.
ence that enterprises are struggling to keep track of what sits inside their software stacks. Black Duck’s annual open source security report found that 86% of enterprise codebases contain open source vulnerabilities, with 81% of those rated high or critical risk. Synopsys has separately highlighted persistent problems with outdated components and major exposures such as Log4Shell, underscoring the difficulty of maintaining an accurate inventory across sprawling environments.
Red Hat’s central argument is that open source still offers a structural advantage over proprietary software because the code is visible, widely used and continuously scrutinised. The company says that transparency creates stronger collective incentives to identify and fix flaws than a closed model in which vulnerabilities may remain hidden until attackers find them. The challenge, it says, has shifted from discovery to remediation.
That concern is being intensified by the scale of the modern open source ecosystem. ITPro reported that developers downloaded 9.8 trillion software components from repositories including Maven Central, PyPI and npm in 2025, up 67% from the previous year. The same growth has given attackers more opportunities to plant malicious packages or exploit weaknesses before patches are widely deployed. Security researchers have also recently flagged critical flaws in Nvidia’s open-source Triton Inference Server and in Fluent Bit, a log-processing tool used across major cloud environments, illustrating how quickly open source issues can ripple through enterprise infrastructure.
Red Hat says organisations need to move faster on inventory, patching and automation. It urges companies to map every dependency, measure the time it takes to move a fix from upstream to production, and automate rebuilds so updates can be consumed without disrupting systems. The company also recommends using vendors that actively contribute to the projects they ship, arguing that responsible upstream participation is part of maintaining long-term security.
The company is pairing that message with a larger bet on Project Lightwell, a joint Red Hat and IBM initiative backed by a $5 billion commitment and more than 20,000 engineers. According to the companies, the project is designed to create a remediation engine for the AI era, extending Red Hat’s long-standing backporting approach beyond operating systems and into application frameworks and dependencies, beginning with Maven/Java and later PyPI and npm. The aim is to deliver fixes for the exact stable versions enterprises already run, rather than forcing disruptive upgrades.
Red Hat says the model is intended to avoid the burden of private forks, where organisations patch issues on their own and then carry that maintenance effort forward indefinitely. Under Project Lightwell, fixes would be fed back into the originating open source projects after being delivered to customers, preserving the shared nature of the ecosystem. The company also says the effort aligns with recent US executive action on AI and cybersecurity, which calls for better coordination of vulnerability scanning, validation and remediation.
The broader message is that open source is not the weak link in enterprise software so much as the most visible and heavily relied upon part of it. As vulnerabilities are found faster and in larger numbers, Red Hat argues that security will depend less on avoiding open source and more on coordinating around it more intelligently.
Source: Noah Wire Services
