IBM and Red Hat expand Lightwell with new solutions to build the trusted open source infrastructure in the AI era

IBM and Red Hat have announced the commercial launch of Lightwell, a new platform designed to automate security vulnerability remediation in open-source software at scale. The solution debuts with two main products: Lightwell Network and Lightwell Clearinghouse Premier, aimed at strengthening organizations’ defenses against increasingly sophisticated threats.

Lightwell Network is now available and offers access to an initial catalog of over 6,500 corrected software dependencies, digitally signed and certified for some of the leading development ecosystems, including Java and Python. Meanwhile, Lightwell Clearinghouse Premier is entering a limited availability phase as a trusted platform to coordinate patch management under embargo and facilitate joint threat response across sectors.

This platform launch is part of IBM and Red Hat’s commitment to invest $5 billion in open-source software security announced in May 2026. The initiative is supported by an international team of over 20,000 engineers tasked with overseeing and expanding AI-driven automated remediation capabilities integrated into Lightwell.

According to both companies, the new platform leverages Red Hat’s decades of experience in protecting critical infrastructure—during which millions of software downloads have been distributed and a high volume of updates, bug fixes, and open-source contributions have been made.

Additionally, IBM and Red Hat highlight Lightwell’s strong interest among financial sector organizations and other highly regulated fields, which see this technology as a key tool to address one of the industry’s main structural challenges: efficient and secure management of vulnerabilities in open-source components.

The platform features an advanced AI-based remediation engine capable of mass analysis of dependencies used in modern applications. It combines cutting-edge open-source AI models with expert oversight to identify vulnerabilities, validate proposed solutions, and automatically generate fixes—reducing response times and enhancing enterprise software security.

Lightwell bridges the gap between agile innovation and corporate compliance by securing the specific software packages organizations deploy in production today, while establishing a stable foundation for future applications. To address dependency patching bottlenecks, Lightwell automates the retroactive application of critical fixes directly to specific long-term production versions. This helps mitigate lengthy regression testing and breaking compatibility changes that often hinder teams from adopting major source code updates. Backed by its AI remediation engine, Red Hat and IBM expect Lightwell’s catalog of corrected packages to expand rapidly—from thousands to millions.

Red Hat and IBM deliver these capabilities through two solutions:

  • Lightwell Network: Available for general use, providing immediate access to a constantly growing library of content that spans from the latest releases to legacy libraries, with high-value remediations. Users receive a continuous stream of digitally signed binaries, source code, and comprehensive compliance documentation—including complete software bill of materials (SBOMs)—delivered directly into existing workflows without code deviation.
  • Lightwell Clearinghouse Premier: Entering a limited commercial onboarding phase, this tier is designed to act as a trusted intermediary for close sector collaboration, advanced threat coordination, and secure embargoed patch management. Participating organizations can report vulnerabilities and request fixes for specific versions under embargo windows. Although initial launch is limited to the financial sector, Red Hat and IBM plan to expand Lightwell Clearinghouse Premier to other critical infrastructure sectors—including government, healthcare, and telecommunications—in subsequent phases. Due to the legal, geographic, and disclosure frameworks required for sectoral coordination networks, commercial access is restricted to qualified participating organizations.

Lightwell operates under the proven “upstream-always” model by Red Hat, where security fixes are actively sent back to the original open-source project for review and incorporation. This ensures that commercial protections and community health continually reinforce each other, avoiding project fragmentation while protecting production environments from zero-day vulnerabilities.

“No institution can alone handle the growing scale and complexity of open-source vulnerabilities,” says Scott DePasquale, President and CEO of ARC. “The financial sector has long demonstrated the value of collaboration in addressing shared security challenges, and initiatives enabling coordinated remediation have the potential to strengthen industry resilience across the board.”

“Lightwell marks a fundamental structural shift in how we safeguard all enterprise software,” states Matt Hicks, President and CEO of Red Hat. “By combining automated remediation with our extensive engineering expertise, our goal is to provide the trusted infrastructure needed to reliably, sustainably, and rapidly harness open source with the power of AI.”

“IBM and Red Hat deliver certified fixes that can be directly integrated into the systems organizations already manage, without redesigns or service disruptions, supported by an expanding network of technology and deployment partners,” notes Rob Thomas, Senior Vice President of Software & Chief Commercial Officer at IBM. “Making this possible requires a scale most organizations don’t have: top-tier engineers and AI systems working continuously to protect the open-source software underpinning businesses worldwide.”

“Heavily regulated sectors like financial services face the highest compliance costs, making security a top priority—especially in the use of open-source software,” states Jerry Silva, Vice President of IDC Financial Insights. “The collaboration under the Lightwell brand between Red Hat and IBM to identify, classify, and fix vulnerabilities will bolster the security and resilience of these organizations globally, maintaining the trust inherent in their services.”

Considering open source accounts for up to 90% of enterprise code and generated 9.8 trillion downloads in 20251, the massive volume and the $50 exploits driven by AI2 have overwhelmed traditional patch management, with source code averaging 581 vulnerabilities3. Lightwell is designed to mitigate this unrecognized risk and neutralize bottlenecks through contextual app and dependency interaction analysis, offering validated solutions directly within active workflows.

Securing the open-source software supply chain requires an open, diverse ecosystem spanning AI models, development tools, and enterprise infrastructure. Lightwell extends through a robust, growing network of technology and deployment partners. By collaborating with industry leaders, Lightwell delivers a truly orchestration-based defense—when a fix is ready, network rules, cloud environments, and deployment flows are simultaneously updated across the entire business ecosystem.

  • Technology Partners: Industry leaders such as Amazon Web Services (AWS), AMD, F5, GitLab, Intel, JFrog, Microsoft, NVIDIA, Palo Alto Networks, and ServiceNow collaborate with IBM and Red Hat on Lightwell. This expanding ecosystem ensures Lightwell’s security fixes reach heterogeneous environments, protecting a wide array of existing tools, applications, and services seamlessly.
  • Deployment and Strategy Services: To accelerate adoption, clients can leverage top-tier system integration and strategic deployment services via IBM Consulting, Red Hat Consulting, Accenture, Atos, Cognizant, Deloitte, EY (cybersecurity and risk consulting teams), HCLTech, Infosys, Kyndryl, LTM, NTT DATA, Tata Consultancy Services (TCS), and Tech Mahindra. These organizations assist clients in mapping SBOMs, managing version correspondence, integrating Lightwell logs, and assessing workflows to proactively address vulnerabilities at AI speed.
Scroll to Top