Big Tech
IBM and Red Hat Launch Lightwell to Automate Open Source Vulnerability Fixes for Enterprises
The new platform treats patching the world's open source software less like an engineering emergency and more like a utility, starting with the banks that can least afford to get it wrong.
[For more news, click here]
For decades, the unwritten deal underneath enterprise software was simple. Companies built the products people paid for, and somewhere beneath the surface, open source code did the invisible work of holding everything together. That code was free to use, but it was never free to secure. IBM and Red Hat are now proposing to change that arrangement. The two companies have launched a commercial platform called Lightwell that reframes vulnerability remediation not as an occasional engineering scramble, but as infrastructure enterprises can simply plug into, the way a factory plugs into the power grid rather than generating its own electricity.
Lightwell arrives as two distinct offerings. Lightwell Network is available now, giving member companies access to a catalog of more than 6,500 remediated, digitally signed, and certified application layer dependencies across ecosystems including Java and Python. Lightwell Clearinghouse Premier is entering a limited availability phase, built to serve as a trusted intermediary for secured patch embargoes and coordinated threat response, with its first commercial door open to financial services firms. Together, the offerings mark one of the largest attempts yet to industrialize the patching of the free, publicly maintained code that now sits inside nearly every piece of enterprise technology running across North America, and increasingly, the Gulf.
The Uncounted Bill of Free Software
The scale of the problem explains why two of the industry's largest players are willing to commit real money to it. Open source code now makes up as much as 90 percent of enterprise codebases, and it drove 9.8 trillion downloads in 2025 alone. That volume, combined with the arrival of AI generated exploits that can reportedly be produced for as little as $50, has overwhelmed traditional patch management, leaving the average enterprise codebase carrying 581 known vulnerabilities at any given time. Lightwell's premise is that this is not a series of isolated technical failures, but a structural gap that no single company, however well resourced, can close alone.
Turning Patches Into a Managed Utility
The mechanics of Lightwell are what separate it from a typical vendor security tool. Rather than pushing every customer toward the newest version of a software library, which often triggers weeks of regression testing and breaking changes, Lightwell backports critical fixes directly to the specific, long lived production versions organizations are already running. Members receive a continuous stream of signed binaries, source code, and full compliance documentation, including complete Software Bills of Materials, delivered straight into existing pipelines without introducing code drift. The system is built on what Red Hat calls its upstream-always model, meaning every fix is submitted back to the original open source project for community review rather than kept as a private patch, a design choice meant to strengthen the commons rather than fragment it.
“Lightwell represents a fundamental structural shift in how we secure all enterprise software,” said Matt Hicks, President and CEO of Red Hat. “By pairing automated remediation with our deep engineering heritage, we aim to deliver the trusted infrastructure required to consume open source reliably, sustainably, and at AI speeds.”
Behind that automation is a generative AI powered remediation engine, already operating at scale, that combines frontier and open models with human engineering review to identify, validate, and fix vulnerabilities buried deep in modern software architecture. The companies expect the catalog of remediated packages to grow from thousands of entries today to millions over time, backed by a combined workforce of more than 20,000 engineers under a $5 billion open source security commitment the two companies announced in May.
A Proving Ground in Finance, With a Wider Horizon
Lightwell Clearinghouse Premier's decision to open first in financial services is a deliberate one. Banks and market infrastructure operators carry both the highest compliance costs in the economy and some of the most attractive targets for attackers, which makes them a natural stress test for a system meant to eventually expand into government, healthcare, and telecommunications.
“No single institution can keep pace with the growing scale and complexity of open source vulnerabilities alone,” said Scott DePasquale, President and CEO of ARC. “The financial sector has long demonstrated the value of collaboration in addressing shared security challenges, and initiatives that enable coordinated remediation have the potential to strengthen resilience across the industry.”
“Heavily regulated industries such as financial services have the highest cost of compliance, meaning that they take security extremely seriously, especially in its use of open source software,” said Jerry Silva, Program Vice President for IDC Financial Insights. “The partnership bringing Red Hat and IBM together under the Lightwell banner to identify, triage, and remediate vulnerabilities will bolster the security and resiliency posture of these organizations globally, ensuring the trust that is the hallmark of the services they provide.”
“IBM and Red Hat are giving enterprises certified fixes they can pull straight into the systems they already run, with no retooling or disruption, backed by a growing network of technology and delivery partners,” said Rob Thomas, Senior Vice President, Software and Chief Commercial Officer at IBM. “Making that possible takes scale most organizations don't have, a world-class team of engineers and AI systems working around the clock to protect the open source software the world's enterprises run on.”
Why the Gulf Is Watching Too
Although Lightwell's initial rollout is anchored in the United States financial system, the logic behind it travels well beyond North America. Banks and fintech operators across the UAE and Saudi Arabia have spent the past several years building open banking rails, sovereign cloud infrastructure, and AI powered financial services under some of the strictest central bank cybersecurity frameworks in the world. A trust layer designed to certify, sign, and continuously patch the open source dependencies inside financial infrastructure addresses precisely the kind of supply chain risk that Gulf regulators have flagged as a priority as the region's digital economy scales. If Lightwell Clearinghouse Premier proves out in American finance and expands into other critical infrastructure verticals as planned, GCC banks and telecommunications operators pursuing similar compliance mandates are a logical next audience.
An Ecosystem Built to Scale
Lightwell is not a two-company project. IBM and Red Hat have lined up a roster of technology partners meant to ensure fixes propagate across the environments enterprises already run, including Amazon Web Services, AMD, F5, GitLab, Intel, JFrog, Microsoft, NVIDIA, Palo Alto Networks, and ServiceNow. The idea is that when a fix is ready, network rules, cloud environments, and deployment pipelines can update in concert across an enterprise's entire technology fabric, rather than waiting on each vendor to patch independently.
Taken together, Lightwell is a bet that the chaos of open source security can be turned into something closer to plumbing: unglamorous, continuously maintained, and largely invisible when it works. For an industry that has spent years treating patching as a recurring emergency, that would count as genuine progress.
Related Articles:
Operation Endgame: Hacking the Hackers to Bring Down a Global Credential Theft Network
Palo Alto Networks Acquires Chronosphere to Advance AI Era Observability
F5 Launches End-to-End AI Runtime Security Solutions Globally
















































