<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=705633339897683&amp;ev=PageView&amp;noscript=1">

The U.S. government has announced plans to make software vendors liable for damages caused by cybersecurity defects in their products. Software suppliers could face millions of dollars in fines and penalties if their products have security vulnerabilities that cause harm to consumers.

Minimize liability risk from open source

Liability can run into hundreds of millions of dollars. In 2019, the FTC fined Equifax $700 million for not updating a vulnerable version of the Apache Struts open source package, leading to the theft of personal information from about 147 million consumers.

Take advantage of liability shield protections

The U.S. government has announced the intent to provide a “safe harbor” liability shield to software suppliers who can show they are following secure software development practices. 

 

"So, on the liability question, the first thing that we’re trying to do here is make sure that we’re placing liability where it will do the most good... The company that is building and selling the software, they need to be liable for what they put in it and work to reduce vulnerabilities and use best practices... We can’t have them devolving that responsibility down to a two-person, open-source project that hasn’t received any funding in the last five years.  That’s not going to get us the outcome that we want."


- Senior White House administration official, speaking about liability provisions of the National Cybersecurity Strategy

US-WhiteHouse-Logo.svg

 

How Tidelift can help

Watch a demo on how Tidelift helps organizations mitigate open source risk with first-party maintainer verified data for the components in your software supply chain 

Many organizations already have internal controls and processes in place for the code they write themselves. Tidelift provides similar protections for the open source dependencies in your applications (which in many codebases makes up 75% or more of the code).

The Tidelift Subscription is a complete solution for managing open source, including the tools, data, and strategies you need to minimize open source software security risks.

Tidelift pays the maintainers behind thousands of the most commonly used open source packages to attest their projects are developed using secure software development practices. Our subscription includes:

First-hand attestation data from the maintainers behind thousands of open source packages that go into your software, aligned to the U.S. government’s NIST Secure Software Development Framework (SSDF) standards.

A standardized attestations report , to be used as evidence that the open source dependencies in your organization’s applications follow secure software development best practices.

A solution for dynamically tracking attestations for open source components going into your product, and keeping these attestations current automatically.

Screenshot 2023-11-15 at 2.07.21 PM

 

From a security remediation point of view ... no other vendor came close to the level of detail Tidelift provides—because Tidelift works directly with the open source maintainers of the projects EMPLOYERS and other enterprise organizations depend on.

“That relationship is pure gold. The openness you have with the open source maintainers and the ability to talk with the consumers about how we’re using their products—we have a direct line of communication from their fixes and what versions we should be using.”