<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=705633339897683&amp;ev=PageView&amp;noscript=1">

Validated open source package intelligence 

Does your organization rely heavily on open source software but struggle to understand how specific open source components might make you more susceptible to vulnerabilities and attacks?

Tidelift has built a unique solution that leverages the maintainers behind the open source components you rely on to address this challenge. Tidelift partners directly with the maintainers of thousands of the most-relied-upon open source packages and pays them to document and validate the secure software development practices they follow—including release guidance, vulnerability reporting and disclosure policies, licensing information, and more.

Maintainer-validated insights and more, available only from Tidelift

Tidelift’s open source package intelligence data is researched and validated by Tidelift and our paid maintainer partners and available via the Tidelift Subscription. Tidelift automates the data collection, curates and structures the data, and provides APIs to easily integrate with existing workflows and business intelligence tools.

Read how leading organizations use Tidelift open source intelligence to proactively improve supply chain health and security.

Open source package research

The best way to reduce future risk is to build with more secure and better maintained components to begin with. Before bringing new open source components into your organization, you should be able to answer questions such as:

  • Does it conform to my organization’s license policies?
  • Is it actively maintained or is it deprecated?
  • Are the maintainers actively responding to security issues?
  • Are the maintainers producing new releases?
  • Are the maintainers supported by a foundation, a company, or other income sources?

With Tidelift’s open source intelligence, organizations can easily answer questions like these about the secure software development practices of millions of open source packages. For thousands of the most-relied-upon open source packages, we pay maintainers to meet enterprise level security and maintenance standards (like those, including standards aligned with the NIST Secure Software Development Framework) and keep their packages maintained to those standards into the future.

Learn about integration options

quality-checks-ui-1

 

urllib3-cli-example

 

Ongoing monitoring of open source software in use

Open source packages are constantly changing and it is important to monitor and review updates. Packages can change licenses. Maintainers can walk away from a project if they’re not being paid for their work. Direct and transitive dependencies can cause an issue-free component to have problems when used in production. What once was the best of breed framework for doing something can fall out of favor, while its maintainers move on and the project is deprecated. These are all important leading indicators to the potential of an open source component being compromised by a vulnerability.

Building on healthy, secure open source software requires ongoing monitoring for updates and changes that impact the packages you use. Our customers are using Tidelift’s open source intelligence in their ongoing monitoring workflows to stay informed about the packages they use, and get early warning when changes take place that might make a package risky to continue using in their applications. 

Learn about integration options

Learn how our customers use this data to drive better decision-making, which results in more efficiency and increased autonomy for development teams.

Read case stories

The benefits of validated open source package data

Open source intelligence data at scale

Gathering open source information one package at a time is painstaking, time consuming, and expensive. Tidelift has built a unified, cross-ecosystem  data model at scale, across millions of open source packages.

Reduce time spent analyzing packages and make better decisions

Gain first-party data about secure software development practices, release guidance, licensing information, and more, validated by Tidelift and our paid maintainer partners.

Data where you need it

Access these insights via APIs, with the flexibility to pull it into your preferred workflows and tools.