The initiative, called Project Lightwell, seeks to create a "clearinghouse" for open source security, establishing a model for managing risks across the software supply chain.