IBM and Red Hat launch Lightwell to tackle open source security at scale

IBM and Red Hat have commercially launched Lightwell, an AI-powered open source vulnerability remediation platform targeting enterprise software supply chains, with an initial catalogue of more than 6,500 secured dependencies now available.

The platform arrives in two tiers: Lightwell Network, which is generally available and provides digitally signed, certified application-layer packages across Java and Python ecosystems; and Lightwell Clearinghouse Premier, which has entered a limited commercial onboarding phase as a trusted intermediary for coordinated patch embargoes and sector-specific threat management. The Clearinghouse tier is initially restricted to financial services, with plans to expand to government, healthcare, and telecommunications.

The launch extends a $5 billion commitment to open source security that IBM and Red Hat announced in May 2026, backed by more than 20,000 engineers. The companies say the platform's AI-driven remediation engine is already live and operating at scale, using frontier and open AI models alongside human engineering expertise to backport critical fixes to long-lived production software versions, avoiding the disruptive upstream upgrades that typically stall enterprise patching.

Matt Hicks, president and CEO of Red Hat, said Lightwell "represents a fundamental structural shift in how we secure all enterprise software," adding that the platform aims to deliver infrastructure capable of consuming open source "reliably, sustainably, and at AI speeds."

IBM's senior vice president for software and chief commercial officer Rob Thomas said the platform gives enterprises "certified fixes they can pull straight into the systems they already run, with no retooling or disruption, backed by a growing network of technology and delivery partners."

The scale of the problem Lightwell targets is significant. Open source now comprises up to 90 per cent of enterprise codebases and recorded 9.8 trillion downloads in 2025, while AI-generated exploits costing as little as $50 have overwhelmed traditional patch management, leaving the average codebase carrying 581 unaddressed vulnerabilities.

Jerry Silva, programme vice president for IDC Financial Insights, said heavily regulated industries such as financial services take security "extremely seriously," and that the IBM and Red Hat partnership "will bolster the security and resiliency posture of these organisations globally."

Technology partners including AWS, Microsoft, NVIDIA, Palo Alto Networks, and JFrog are collaborating on the platform, alongside deployment and strategy partners including Accenture, Deloitte, Infosys, and Tata Consultancy Services.



Share Story:

Recent Stories


The future-ready CFO: Driving strategic growth and innovation
This National Technology News webinar sponsored by Sage will explore how CFOs can leverage their unique blend of financial acumen, technological savvy, and strategic mindset to foster cross-functional collaboration and shape overall company direction. Attendees will gain insights into breaking down operational silos, aligning goals across departments like IT, operations, HR, and marketing, and utilising technology to enable real-time data sharing and visibility.

The corporate roadmap to payment excellence: Keeping pace with emerging trends to maximise growth opportunities
In today's rapidly evolving finance and accounting landscape, one of the biggest challenges organisations face is attracting and retaining top talent. As automation and AI revolutionise the profession, finance teams require new skillsets centred on analysis, collaboration, and strategic thinking to drive sustainable competitive advantage.