Liability can run into hundreds of millions of dollars. In 2019, the FTC fined Equifax $700 million for not updating a vulnerable version of the Apache Struts open source package, leading to the theft of personal information from about 147 million consumers.
The U.S. government has announced the intent to provide a “safe harbor” liability shield to software suppliers who can show they are following secure software development practices.
Many organizations already have internal secure software development practices in place for the code they write themselves. Tidelift helps you document the secure software development practices of the open source dependencies in your applications (which in many codebases makes up 70% or more of the code).
Tidelift pays the maintainers behind thousands of the most commonly used open source packages to attest their projects are developed using secure software development practices. Our subscription includes:
The only source for first-hand attestation data from the maintainers behind thousands of open source packages that go into your software, aligned to the U.S. government’s NIST Secure Software Development Framework (SSDF) standards.
A standardized attestations report, to be used as evidence that the open source dependencies in your organization’s applications follow secure software development best practices.
A solution for dynamically tracking attestations for open source components going into your product, and keeping these attestations current automatically.