Red Hat and IBM have joined forces to bring the Lightwell solution to life, a platform that delivers automated vulnerability remediation at scale through two solutions: Lightwell Network and Lightwell Clearinghouse Premier. Available now, Lightwell Network offers enterprises access to an initial catalog of more than 6,500 fixed, digitally signed and certified dependencies for major ecosystems, including Java and Python. For its part, Lightwell Clearinghouse Premier enters a phase of limited availability as a trusted intermediary for patch embargo management and threat coordination by sector.
Scale advanced remediation capabilities
This release builds on the $5 billion open source security commitment that IBM and Red Hat announced in May 2026, supported by a global team of more than 20,000 engineers dedicated to overseeing and scaling Lightwell’s advanced AI-powered remediation capabilities.
The launch of Lightwell expands a model built over decades of trust, during which Red Hat has protected thousands of customers’ critical systems with millions of product downloads and countless patches, bug fixes and community contributions. It also reflects the strong momentum and active collaboration with financial sector partners, who see Lightwell as critical to solving a structural industry problem, recognizing that Red Hat and IBM are uniquely suited to provide the open source engineering expertise and scale that this task demands. Lightwell now extends that proven enterprise protection to an organization’s entire open source software portfolio.
To deliver this trusted infrastructure, Lightwell leverages the high processing power of an AI-based generative remediation engine that is already operating at full capacity. This advanced AI-powered automation process combines cutting-edge, open source AI models with the expertise of human engineers to identify, validate, and remediate vulnerabilities in critical dependencies embedded deep within modern software architectures.
Stable platform for future applications
Lightwell removes the friction between agile innovation and enterprise regulatory compliance by securing the specific software packages organizations run in production today, while establishing a stable platform for future applications. To break the lock on dependency fixes, Lightwell uses automation to retroactively apply critical fixes directly to specific, long-lived versions of production software, helping to address lengthy regression testing and compatibility-breaking changes that often cripple teams forced to adopt major source code updates. Backed by its AI-based remediation engine, Red Hat and IBM expect Lightwell’s catalog of remediated packages to quickly scale from thousands to millions.
Red Hat and IBM offer these capabilities through two solutions:
● Lightwell Network: With general availability, it offers immediate access to an active and constantly growing library of content ranging from the latest versions to legacy libraries, with high-value remediations. Members receive a continuous stream of digitally signed binaries, source code, and comprehensive compliance documentation—including complete software inventories of materials (SBOMs)—delivered directly into existing processes without code drift.
● Lightwell Clearinghouse Premier: Entering a commercial onboarding phase with limited availability, this tier is designed to act as a trusted intermediary for close industry collaboration, advanced coordination against vertical threats, and secure patch embargoes. Participating organizations can report vulnerabilities and request remediation of specific versions under an embargo window. Although the initial launch of the platform is limited to the financial sector, Red Hat and IBM plan to expand Lightwell Clearinghouse Premier to other critical infrastructure sectors—including government, healthcare, and telecommunications—in later phases. Given the specificity of the legal, geographic and disclosure frameworks necessary to operate sectoral coordination networks, commercial access is restricted to qualified participating organizations.
Lightwell operates under the Red Hat-proven “upstream-always” model, whereby security fixes are actively pushed to the source open source project for review and incorporation. This ensures that business protections and community health continually reinforce each other, preventing project fragmentation without exposing production environments to zero-day vulnerabilities.
Lightwell represents a fundamental structural change in the way enterprise software is protected
“No single institution can address the increasing scale and complexity of open source vulnerabilities,” said Scott DePasquale, President and CEO, ARC. “The financial sector has long demonstrated the value of collaboration to address shared security challenges, and initiatives that enable coordinated remediation have the potential to strengthen the resilience of the entire industry.”
“Lightwell represents a fundamental structural change in the way we secure all enterprise software,” said Matt Hicks, President and CEO, Red Hat. “By combining automated remediation with our extensive engineering expertise, we aim to provide the trusted infrastructure needed to use open source reliably, sustainably, and at the speed of AI.”
“IBM and Red Hat provide companies with certified fixes that can be integrated directly into the systems they already manage, without the need for redesign or service interruptions, supported by a growing network of technology and deployment partners,” said Rob Thomas, Senior Vice President, Software & Chief Commercial Officer, IBM. “Making this possible requires a scale that most organizations don’t have: a team of world-class AI engineers and systems working continuously to protect the open source software that businesses around the world operate on.”
“Highly regulated industries, such as financial services, have the highest compliance costs, which means they take security very seriously, especially when it comes to the use of open source software,” said Jerry Silva, Program Vice President for IDC Financial Insights. “The collaboration that unites Red Hat and IBM under the Lightwell brand to identify, classify and remediate vulnerabilities will strengthen the security and resilience of these organizations worldwide, guaranteeing the trust that characterizes the services they provide.”
Ensure an orchestrated defense
With open source accounting for up to 90% of enterprise code and generating 9.8 trillion downloads in 2025 alone1, the massive volume and $50 cost of IA-generated exploits2 has overwhelmed traditional patch management, leaving source code with an average of 581 vulnerabilities3. Lightwell is designed to mitigate this unidentified risk and neutralize execution bottlenecks by evaluating application context and dependency interactions to deliver validated solutions directly into active workflows.
Securing the open source software supply chain requires an open and diverse ecosystem that encompasses AI models, development tools, and enterprise infrastructure. Lightwell extends through a strong and ever-growing network of technology and deployment partners. By collaborating with industry leaders, Lightwell delivers truly orchestrated defense, meaning that when a fix is ready, network rules, cloud environments, and deployment flows are updated simultaneously across the enterprise ecosystem.
