<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=705633339897683&amp;ev=PageView&amp;noscript=1">

The U.S. government has announced plans to make software vendors liable for damages caused by cybersecurity defects in their products. Software suppliers could be facing millions of dollars in fines and penalties if their products have security vulnerabilities that cause harm to consumers. 

Minimize liability risk from open source

Liability can run into hundreds of millions of dollars. In 2019, the FTC fined Equifax $700 million for not updating a vulnerable version of the Apache Struts open source package, leading to the theft of personal information from about 147 million consumers.

Take advantage of liability shield protections

The U.S. government has announced the intent to provide a “safe harbor” liability shield to software suppliers who can show they are following secure software development practices. 

How Tidelift can help

Watch a demo to learn how Tidelift can help your organization attest to the cybersecurity practices of the open source components in your software supply chain

Many organizations already have internal secure software development practices in place for the code they write themselves. Tidelift helps you document the secure software development practices of the open source dependencies in your applications (which in many codebases makes up 75% or more of the code).

The Tidelift Subscription is a complete solution for managing open source, including the tools, data, and strategies you need to document your open source software supply chain security practices.

Tidelift pays the maintainers behind thousands of the most commonly used open source packages to attest their projects are developed using secure software development practices. Our subscription includes:

The only source for first-hand attestation data from the maintainers behind thousands of open source packages that go into your software, aligned to the U.S. government’s NIST Secure Software Development Framework (SSDF) standards.

A standardized attestations report, to be used as evidence that the open source dependencies in your organization’s applications follow secure software development best practices.

A solution for dynamically tracking attestations for open source components going into your product, and keeping these attestations current automatically.

Screenshot 2023-11-15 at 2.07.21 PM


From a security remediation point of view... no other vendor came close to the level of detail Tidelift provides—because Tidelift works directly with the open source maintainers of the projects EMPLOYERS and other enterprise organizations depend on.

“That relationship is pure gold. The openness you have with the open source maintainers and the ability to talk with the consumers about how we’re using their products—we have a direct line of communication from their fixes and what versions we should be using.”