Lightwell: Securing Open Source with IBM and Red Hat

Share this article
Share this article
Prioritise Us on Google
Rob Thomas, Senior Vice President, Software & Chief Commercial Officer, IBM
IBM and Red Hat unveil Lightwell, an AI-powered platform designed to secure open source software and simplify vulnerability remediation at scale

Open source code comprises up to 90% of enterprise codebases. With AI unleashing hidden exploits, traditional patch management simply cannot keep pace.

An average codebase today contains 581 vulnerabilities, according to IBM and Red Hat. To combat this, the pair have launched Lightwell, a platform designed to address this challenge through automated remediation and AI-powered dependency management.

The move builds on a US$5bn commitment to open source security announced in May 2026, supported by more than 20,000 engineers focused on scaling AI-powered remediation.

IBM and Red Hat launched Lightwell, delivering automated vulnerability remediation at scale through two offerings: Lightwell Network and Lightwell Clearinghouse Premier | Credit: Red Hat (Modified)

Automation meets engineering expertise

Lightwell introduces two offerings targeting enterprise software development teams. Lightwell Network and Lightwell Clearinghouse Premier combine AI-driven automation with human engineering expertise to identify, validate and remediate vulnerabilities in open source dependencies.

The platform uses a generative AI-powered remediation engine that combines frontier AI and open AI models with human expertise to analyse software dependencies. It delivers validated fixes for production environments without requiring organisations to upgrade entire software stacks.

Youtube Placeholder

The technology backports critical fixes directly into long-lived production versions. This approach could reduce disruption and minimise regression risks for development teams managing complex software ecosystems.

"Lightwell represents a fundamental structural shift in how we secure all enterprise software," says Matt Hicks, President and CEO at Red Hat.

"By pairing automated remediation with our deep engineering heritage, we aim to deliver the trusted infrastructure required to consume open source reliably, sustainably and at AI speeds."

Matt Hicks, President and CEO of Red Hat

Network offering targets development pipelines

Lightwell Network has been made generally available with more than 6,500 remediated, digitally signed and certified application dependencies across ecosystems including Java and Python. Members receive updated binaries, source code, Software Bills of Materials and compliance documentation that integrate directly into existing development pipelines.

The platform follows Red Hat's upstream-first development model. Fixes are contributed back to the open source community while maintaining enterprise-grade security protections.

IBM and Red Hat are giving enterprises certified fixes they can pull straight into the systems they already run
Rob ThomasSenior Vice President, Software & Chief Commercial Officer, IBM

Development teams can pull certified fixes directly into systems they already run with no retooling required. The approach could appeal to organisations seeking to maintain software stability while addressing dependency vulnerabilities.

IBM and Red Hat designed the platform with major financial institutions in the loop. The aim is to remove the burden of patching vulnerable software without forcing organisations into disruptive upgrades or lengthy regression testing.

Financial services clearinghouse in limited release

Lightwell Clearinghouse Premier has entered limited availability with an initial focus on the financial services sector. The offering enables organisations to collaborate on vulnerability disclosure, coordinated threat response and patch embargoes before vulnerabilities become public.

IBM and Red Hat plan to expand the service to government, healthcare and telecommunications sectors. The Clearinghouse model could provide a framework for industry-specific collaboration on software supply chain management.

"IBM and Red Hat are giving enterprises certified fixes they can pull straight into the systems they already run, with no retooling or disruption, backed by a growing network of technology and delivery partners," says Rob Thomas, Senior Vice President, Software & Chief Commercial Officer, IBM.

Youtube Placeholder

"Making that possible takes scale most organisations don't have, a world-class team of engineers and AI systems working around the clock to protect the open source software the world's enterprises run on."

The financial services focus reflects the sector's complex regulatory requirements and need for coordinated vulnerability management

Technology and consulting partners join ecosystem

IBM and Red Hat are positioning Lightwell as an ecosystem backed by an elite roster of technology and consulting partners. Amazon Web Services, AMD, F5, GitLab, Intel, JFrog, Microsoft, NVIDIA, Palo Alto Networks and ServiceNow are collaborating to integrate security fixes across cloud environments, developer tools and enterprise infrastructure.

Key figures
  • The launch expands on US$5bn commitment to open source security that IBM and Red Hat announced in May 2026
  • Open source comprises up to 90% of enterprise codebases
  • Massive volume and AI-generated exploits have broken traditional patch management, leaving codebases with an average of 581 vulnerabilities

Deployment support will be provided by IBM Consulting, Red Hat Consulting, Accenture, Atos, Cognizant, Deloitte, EY, HCLTech, Infosys, Kyndryl, NTT DATA, Tata Consultancy Services and Tech Mahindra. These partners will help customers map SBOMs, manage software dependencies and integrate Lightwell into existing development pipelines.

"Safeguarding the open source software supply chain requires an open, diverse ecosystem spanning AI models, development tools and enterprise infrastructure," as IBM notes. The partner network spans infrastructure providers, development tooling vendors and systems integrators.

The platform addresses a challenge that could intensify as AI accelerates both software development velocity and the speed at which vulnerabilities emerge. With AI-generated exploits available at as little as US$50, traditional patch management cycles may no longer provide adequate protection for enterprise software development teams.