The only elephant in the room isn’t in the oval office. For enterprises dependent on IT — meaning every enterprise on the planet these days — there’s an elephant in every server and in every data center. Unless you’re air-gapped, that’s any code that’s running.
These days, the “many eyes” philosophy of open source security doesn’t really apply anymore. That’s because AI eyes can find out more about a system in seconds than a seasoned engineer working alone can discover in a day. AI can map an entire system, discover what old and technically out-of-date software is being deployed, and then figure out a novel new way to launch an exploit.
That’s what Red Hat and IBM are seeking to defend against with Lightwell.
Actually, the project is a twist on the old “many eyes” approach, but aided by AI to help the white hats get up to speed with the black hats. As they say, the more things change, the more they stay the same.
We first started hearing about Project Lightwell a few months ago. In late May, Red Hat and IBM described it as a $5 billion joint initiative to secure the open source software supply chain using AI-powered remediation and coordinated patch management. Then, a couple of weeks ago the project brought on Palo Alto Networks in order to take advantage of that company’s virtual patching capability.
“AI has compressed the window between vulnerability, discovery, and exploit from weeks to minutes,” Nikesh Arora, Palo Alto Network’s CEO and chairman, said at the time. “Traditional patching cannot keep pace. By collaborating with IBM and Red Hat, we are shifting the advantage back to defenders. This powerful combination allows us to neutralize threats in the network while providing uninterrupted business continuity for our global clients.”
On Wednesday, two weeks to the day after that announcement, IBM and Red Hat were back with an announcement of the commercial launch of Lightwell, promising that it will deliver automated vulnerability remediation at scale. This time they have more partners on board.
The Two Sides of Lightwell
Lightwell is delivered as something of a two-headed sword, with each side being served as a separate offering.
One side of the sword is Lightwell Network, which is already generally available. It’s basically a set of secure repositories of open‑source packages that Red Hat rebuilds, signs, and maintains for enterprise customers. The focus is on supply-chain security, so it includes things like validating upstream code, backporting security fixes to the exact versions customers are running, and then distributing those patched artifacts in native formats (Maven, npm, PyPI, etc.) so they drop into customers’ existing tooling.
In many ways, Lightwell Network is similar to already existing services such as Tux Care’s Endless Lifecycle Support, which for years has helped enterprises keep operating systems and other software supported long after reaching end-of-life. The main difference is that Lightwell is primarily tied to the Red Hat/IBM ecosystem, and delivers automated, signed content at scale, while TuxCare is broader and vendor‑agnostic, bringing EOL live‑patching support to many Linux distros and stacks.
For Lightwell Network’s member companies, this means that digitally signed binaries, source code, and comprehensive compliance artifacts (including complete Software Bills of Materials), are constantly available to be delivered directly into the companies’ existing pipelines. To oversimplify, this means that when an embargoed exploit is patched, it’ll pretty much get patched through the general workflow.
The sword’s other side is Lightwell Clearinghouse. Currently, it’s something of a release candidate that’s entering a limited-availability commercial onboarding phase. It’s intended to serve as something of a go-between for deep industry collaboration, advanced vertical threat coordination, and secured patch embargoes.
Here, according to Red Hat, organizations submit vulnerabilities and request targeted version remediation under an embargo window. In other words: if you discover a vulnerability, you can flag it and ask for a fix to arrive before the exploit becomes known. For the time being, Clearinghouse is limited to the financial services industry, but the plan is for it to expand in phases into other areas, including government, healthcare, and telecommunications.
Clearinghouse appears to be — at least for the time being — a little on the exclusive side. Red Hat says that due to specialized legal, geographic, and disclosure requirements, commercial entry is gated, and only open to qualified participating organizations.
“IBM and Red Hat are giving enterprises certified fixes they can pull straight into the systems they already run, with no retooling or disruption, backed by a growing network of technology and delivery partners,” said Rob Thomas, SVP of software, and chief commercial officer at IBM. “Making that possible takes scale most organizations don’t have, a world-class team of engineers, and AI systems working around the clock to protect the open source software the world’s enterprises run on.”
It Takes a Village…
IBM and Red Hat would like you to know that even though it is their project, it’s not just an IBM and Red Hat thing. An internet that’s prepared to defend against the black hats requires co-operation from all corners, and IBM/Red Hat have been enlisting troops “to deliver a true orchestrated defense, enabling network rules, cloud environments, and deployment pipelines to be updated simultaneously across the entire enterprise fabric when a fix is ready.”
Among technology providers, the likes of Amazon Web Services, AMD, GitLab, Intel, Microsoft, NVIDIA, and others are already on board to collaborate on Lightwell. Red Hat says this ensures that Lightwell’s security fixes extend across diverse environments, protecting a wide array of existing tools, applications, and services.
Also on board, to extend Lightwell’s security fixes across environments to protect tools, applications, and services are deployment services that include Accenture, Atos, Cognizant, Deloitte, Infosys, and others.
“These organizations help enterprise customers map SBOMs, manage version mapping, ingest Lightwell registries, and evaluate pipelines to enable preparedness for AI-velocity vulnerabilities,” Red Hat said.
More information on Lightwell is available, both from IBM and Red Hat.
Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux








Be First to Comment