NIST Secure Software Development Framework (SSDF) attestations for open source

The U.S. government has announced plans to make software vendors liable for damages caused by cybersecurity defects in their products. Software suppliers could be facing millions of dollars in fines and penalties if their products have security vulnerabilities that cause harm to consumers.

Minimize liability risk from open source

Liability can run into hundreds of millions of dollars. In 2019, the FTC fined Equifax $700 million for not updating a vulnerable version of the Apache Struts open source package, leading to the theft of personal information from about 147 million consumers.

Take advantage of liability shield protections

The U.S. government has announced the intent to provide a “safe harbor” liability shield to software suppliers who can show they are following secure software development practices.

How Tidelift can help

Attestations for the cybersecurity practices of the open source components in your software supply chain

Get a sample report

Many organizations already have internal secure software development practices in place for the code they write themselves. Tidelift helps you document the secure software development practices of the open source dependencies in your applications (which in many codebases makes up 70% or more of the code).

The Tidelift Subscription is a complete solution for managing open source, including the tools, data, and strategies you need to document your open source software supply chain security practices.

Tidelift pays the maintainers behind thousands of the most commonly used open source packages to attest their projects are developed using secure software development practices. Our subscription includes:

The only source for first-hand attestation data from the maintainers behind thousands of open source packages that go into your software, aligned to the U.S. government’s NIST Secure Software Development Framework (SSDF) standards.

A standardized attestations report, to be used as evidence that the open source dependencies in your organization’s applications follow secure software development best practices.

A solution for dynamically tracking attestations for open source components going into your product, and keeping these attestations current automatically.

The first 500 Upstream registrants get a free t-shirt

NIST Secure Software Development Framework (SSDF) attestations for
open source

The U.S. government has announced plans to make software vendors liable for damages caused by cybersecurity defects in their products. Software suppliers could be facing millions of dollars in fines and penalties if their products have security vulnerabilities that cause harm to consumers.

Minimize liability risk from open source

Take advantage of liability shield protections

How Tidelift can help

Attestations for the cybersecurity practices of the open source components in your software supply chain

The Tidelift Subscription is a complete solution for managing open source, including the tools, data, and strategies you need to document your open source software supply chain security practices.

Tidelift named Gartner® Cool Vendor™

Learn more about government actions impacting open source

Learn more about how emerging US government cybersecurity actions will affect your business.

Get a complete view of government actions impacting open source

Tidelift

Product

Resources

For Maintainers