Our mission at Tidelift is to make open source work better for users and creators alike. We know that by directly partnering with project maintainers, we can create and promote a product that helps organizations better manage the security, maintenance, and licensing issues that come from using open source, while building a recurring income stream around open source work.
When you partner with Tidelift, you’ll be working with us to ensure your projects meet enterprise-level security, maintenance, and licensing standards as part of our comprehensive approach to open source management.
Most actively maintained projects already have good code quality, but enterprise customers are looking for additional assurances that maintainers shouldn’t be expected to provide for free. And further, they value consistency across the many open source projects they depend on. Tidelift helps curate that consistent universe of enterprise-ready open source packages—and maintainers get paid for it.
Your work will fall into four categories that provide value to you and our enterprise customers:
A discoverable vulnerability-reporting policy, or coordinated disclosure plan, helps ensure that you will be notified of vulnerability reports for your project before they are made public. This reduces the risk that subscribers will be exploited by a publicly disclosed vulnerability before the fix is issued and applied, so we ask you to let us know how security reports will be handled for your project.
If your project already has a security policy or you’d like to handle it on your own, just point us to the URL for the policy. If you’d prefer, you can use the Tidelift security policy and we’ll help coordinate the fix and disclosure.
Avoid unauthorized package publication and ensure safer installs by setting up two-factor authentication for your project. Subscribers will know the dependencies they install haven’t been tampered with by a compromised account.
We will provide instructions for setting this up based for your package manager. If you already have this set up, just let us know and we’ll confirm. Bonus: configure it on GitHub so your repository won’t get tampered with!
Tidelift subscribers need your help to identify which release streams you’ll be willing to provide security updates for. Please note that this task specifically is only currently asking about security updates. It does not relate to bug fixes, new features, or anything else that may fall under the “support” umbrella.
We show subscribers release notes to help them understand a clear upgrade path at a glance. Release notes are rendered from Markdown or RST and you can input them manually, use our API, load them from a URL, or, if your package is on GitHub, load notes from GitHub Releases. By inputting release notes into the Tidelift application, we can save subscribers time and effort by showing all their dependency release notes in one place.
Tidelift subscribers need your help to use the most appropriate version of your package, so we prompt you to indicate which versions are: active, receiving security fixes, or deprecated. In the future, we may require that active versions not rely on deprecated versions of other dependencies.
We scan releases of your package to assess whether they will introduce issues for subscribers and notify you of any problems detected with your project (and its transitive dependencies). If any issues are detected, we’ll guide you to find and fix the root cause and get the issues resolved quickly. Together, we’ll make sure subscribers get the most secure, up-to-date packages.
We’ve found that over 20% of packages have a license metadata error between the source and the package manager, so we compare the license information reported by your package manager and GitHub. If they don’t match, we’ll help you get them corrected and notify you when everything looks good.This allows subscribers to make informed license policy decisions based on accurate metadata.
We also ask you to verify that the license information detected by the package manager and GitHub are correct. If any are incorrect, you can let us know from the dashboard and we will make the appropriate updates within our system. We'll notify you when the issue has been fixed so that you can verify them again. This one-time task helps us ensure that we have the correct license information so that subscribers can make informed decisions about dependency usage and compliance.
Every project is different and we’ll work with you to determine the placement that will reach the most users, generate more leads, and result in revenue growth for your project.
If your project is on GitHub, one way you can inform your users that your project is part of the Tidelift Subscription by adding the GitHub Sponsors button and linking to your Tidelift project page. This is an accessible, visible place to inform developers that your project is a part of the Tidelift Subscription.
If your project is not on GitHub, active users of your project likely visit your project site, repository, or documentation, so these are ideal places to tell them how to get commercial aspects for the project while supporting your work by purchasing the Tidelift Subscription.
We will ask you to sign a legal agreement and follow our code of conduct. We've worked hard to make it understandable, and you can exit the agreement at any time with 30 days notice. You can review the agreement in its entirety here.
We welcome your feedback on the legal agreement or the code of conduct. You can email us at email@example.com.
Our income estimate is for the entire project. If your project has co-maintainers, please discuss it with everyone. We will confirm you’ve spoken with them before the lifting is approved.