IBM and Red Hat launch Lightwell to simplify open source vulnerability remediation
IBM and Red Hat have launched Lightwell to help enterprises fix open source vulnerabilities without disruptive software upgrades.
IBM and Red Hat have launched Lightwell, a set of offerings designed to help enterprises fix vulnerabilities in open source software without forcing major upgrades across production systems.
Table Of Content
The launch includes Lightwell Network, which is now generally available, and Lightwell Clearinghouse Premier, which is entering limited availability. Together, the two offerings are intended to address a common enterprise security problem, where vulnerable software packages remain in use because moving to a newer version could introduce compatibility issues, require lengthy testing or disrupt existing applications.
Lightwell Network gives organisations access to more than 6,500 remediated, digitally signed and certified software dependencies across ecosystems including Java and Python. IBM and Red Hat said the service can backport critical fixes to specific long-lived software versions, allowing organisations to patch the packages already running in production.
Lightwell focuses on software already in use
The service is aimed at organisations that rely on open source components embedded across large and complex software environments. In these cases, replacing a vulnerable package may involve wider changes across applications, testing processes and deployment pipelines.
IBM and Red Hat said Lightwell uses an AI-powered remediation engine that combines frontier and open AI models with human engineering expertise. The system identifies, validates and remediates vulnerabilities across software dependencies before delivering fixes for use in enterprise environments.
Lightwell Network members receive digitally signed binaries, source code and compliance records, including Software Bills of Materials. These materials are delivered into existing development and deployment pipelines, giving security and engineering teams a clearer record of the packages in use and the fixes applied to them.
The launch follows a US$5 billion commitment to open source security announced by IBM and Red Hat in May 2026. The companies said the programme is supported by more than 20,000 engineers and that the catalogue of remediated packages is expected to expand from thousands to millions.
Financial services is the first clearinghouse sector
Lightwell Clearinghouse Premier adds a controlled process for organisations that need to coordinate vulnerability disclosure and remediation. Participating organisations can submit vulnerabilities and request fixes for specific software versions under an embargo window.
The service is initially limited to financial services, where IBM and Red Hat have been working with design partners. The companies plan to extend the model to government, healthcare and telecommunications in later phases.
Commercial access will remain restricted to qualified organisations because the model requires sector-specific legal, geographic and disclosure arrangements. Scott DePasquale, President and CEO of ARC, said coordinated remediation could help financial institutions respond to vulnerabilities that affect the sector more broadly.
“No single institution can keep pace with the growing scale and complexity of open source vulnerabilities alone,” he said. “The financial sector has long demonstrated the value of collaboration in addressing shared security challenges, and initiatives that enable coordinated remediation have the potential to strengthen resilience across the industry.”
Partners will support enterprise deployment
IBM and Red Hat are working with technology and services companies to help enterprises integrate Lightwell into their existing environments.
Technology partners named in the announcement include Amazon Web Services, AMD, F5, GitLab, Intel, JFrog, Microsoft, NVIDIA, Palo Alto Networks and ServiceNow. IBM and Red Hat said these companies will help extend fixes across cloud environments, development tools, network controls and deployment pipelines.
The services partner group includes IBM Consulting, Red Hat Consulting, Accenture, Atos, Cognizant, Deloitte, EY cyber and risk consulting teams, HCLTech, Infosys, Kyndryl, LTM, NTT DATA, Tata Consultancy Services and Tech Mahindra. Their work will include helping organisations map Software Bills of Materials, manage software versions, connect to Lightwell registries and assess development pipelines.
Lightwell will operate under Red Hat’s upstream-always model, where security fixes are submitted back to the original open source communities for review and acceptance. IBM and Red Hat said this approach is intended to reduce fragmentation while making remediated packages available for enterprise use.





