The U.S. government has announced plans to make software vendors liable for damages caused by cybersecurity defects in their products. Software suppliers could face millions of dollars in fines and penalties if their products have security vulnerabilities that cause harm to consumers.
Liability can run into hundreds of millions of dollars. In 2019, the FTC fined Equifax $700 million for not updating a vulnerable version of the Apache Struts open source package, leading to the theft of personal information from about 147 million consumers.
The U.S. government has announced the intent to provide a “safe harbor” liability shield to software suppliers who can show they are following secure software development practices.
"So, on the liability question, the first thing that we’re trying to do here is make sure that we’re placing liability where it will do the most good... The company that is building and selling the software, they need to be liable for what they put in it and work to reduce vulnerabilities and use best practices... We can’t have them devolving that responsibility down to a two-person, open-source project that hasn’t received any funding in the last five years. That’s not going to get us the outcome that we want."
- Senior White House administration official, speaking about liability provisions of the National Cybersecurity Strategy
Many organizations already have internal controls and processes in place for the code they write themselves. Tidelift provides similar protections for the open source dependencies in your applications (which in many codebases makes up 75% or more of the code).
Tidelift pays the maintainers behind thousands of the most commonly used open source packages to attest their projects are developed using secure software development practices. Our subscription includes:
First-hand attestation data from the maintainers behind thousands of open source packages that go into your software, aligned to the U.S. government’s NIST Secure Software Development Framework (SSDF) standards.
A standardized attestations report , to be used as evidence that the open source dependencies in your organization’s applications follow secure software development best practices.
A solution for dynamically tracking attestations for open source components going into your product, and keeping these attestations current automatically.