Lightwell

A trusted security clearinghouse

Open source software powers modern enterprise systems, from cloud infrastructure to AI applications. But as adoption has grown, so has risk.

Project Lightwell extends Red Hat’s proven model of enterprise open source maintenance beyond its traditional product footprint. Historically, Red Hat has delivered lifecycle management, validation, and patching for components within platforms like Red Hat Enterprise Linux and OpenShift. Project Lightwell expands this model to the broader application ecosystem, including independent libraries, language toolchains, and AI frameworks.

By combining agentic security methods with 20,000 dedicated engineers, Project Lightwell establishes a new model to identify, validate and remediate vulnerabilities in open source software.

Read the press release

An image depicts a laptop on a server surrounded by data servers, showcasing a server cluster. The dark blue color scheme emphasizes system interconnectedness.

The scale is the problem

Modern applications depend on deep, interconnected open source supply chains. Most enterprises cannot keep up with the volume, complexity, and speed of risk. AI-driven vulnerability discovery is accelerating both the volume and speed of CVE creation, compounding an already unsustainable remediation gap.

40,000

More than 40,000 vulnerabilities (CVEs) published in 2024¹

Reflects the accelerating volume of publicly disclosed software vulnerabilities tracked across global databases.

>90%

More than 90% of Fortune 500 companies rely on OSS²

Open source software underpins modern enterprise infrastructure

59,000

Up to 59,000 projected by 2026³

IBM estimates based on current disclosure trends and increasing software supply chain scale.

3,900

Nearly 3,900 vulnerabilities identified⁴

Mythos Preview model identified nearly 3,900 high- or critical-severity vulnerabilities in open source software alone

How Project Lightwell works

Remediating vulnerabilities without disrupting production

Project Lightwell is designed to resolve one of the hardest problems in enterprise software: fixing vulnerabilities without breaking what is already in production.

Project Lightwell delivers validated fixes to the specific open source versions organizations already run. By combining large-scale engineering, AI, and a coordinated clearinghouse model, it enables organizations to move from detection to remediation without disrupting stability, certification, or compliance requirements.

From detection to remediation
From tools to platforms
From fragmented fixes to coordinated trust

When a vulnerability is identified, Project Lightwell backports fixes to the exact dependency versions already tested and deployed in production, delivering patched artifacts without requiring upgrades.

No access to source code is required. Project Lightwell operates on dependency manifests such as pom.xml, ensuring your application code remains fully within your environment while patched artifacts are delivered to repositories you control.

Novaland Group client reference used on Masters 2023 landing page.

Remediating at scale

Project Lightwell complements tools like Snyk, Sonatype, and GitHub Advanced Security by delivering patched, signed packages with SLAs, enabling organizations to move directly to production-ready remediation.

Through its coordinated clearinghouse model, Project Lightwell enables organizations to:

Share sensitive vulnerabilities under embargo through a secure intermediary model prior to disclosure
Report and resolve issues across active production environments
Receive validated patches spanning both Red Hat platforms and independent community code
Deliver fixes across complex dependency chains
Ensure improvements are contributed upstream and maintained over time
Reduce long-term maintenance overhead and fragmentation
Provide consistent, production-ready software for enterprise use

The result is a continuous model where security, speed, and ecosystem health work together, allowing organizations to remediate risk efficiently at scale.

Full-stack coverage

Project Lightwell combines comprehensive software supply chain coverage with AI-augmented engineering and deep open source expertise to deliver trusted, enterprise-ready security at global scale. Initial ecosystem focus includes Maven/Java, where regulated industries have the greatest need for pinned-version remediation, with expansion planned across PyPI, npm, Go, and more.

End-to-end open source coverage

Support extends beyond infrastructure to the full software supply chain, including language ecosystems such as Java, data and streaming platforms like Kafka, build tools and AI frameworks, and the transitive dependencies embedded across enterprise applications.

20,000 engineers powered by AI

A global team works alongside advanced AI tools to deliver upstream co-maintenance, vulnerability triage, secure patching, dependency hardening, release engineering, and trusted distribution of production-ready packages.

Upstream to production security model

Project Lightwell connects upstream open source communities with downstream enterprise environments, contributing fixes upstream so software is enterprise-ready without fragmentation or delay.

Proven open source leadership at scale

IBM and Red Hat bring unmatched experience, with more than 61,700 open source packages in use, deep expertise in over 10,600, participation in 290+ major projects, and leadership across Linux, Kubernetes, Java, Apache, Kafka, Ansible, Terraform, and more.

Secure your software supply chain

With Project Lightwell, your organization can reduce vulnerability backlogs, remediate CVEs without forced upgrades, and maintain stability across certified environments.

Deliver production-ready, signed patches with SLAs while contributing fixes upstream to strengthen the broader ecosystem.

Footnotes

Source: https://www.cve.org/about/Metrics
Source: Worldmetrics; https://worldmetrics.org/opensource-statistics/
Source: IBM
Source: Anthropic; https://www.anthropic.com/research/glasswing-initial-update