Does your organization rely heavily on open source software but struggle to understand how specific open source components might make you more susceptible to vulnerabilities and attacks?
Tidelift has built a unique solution that leverages the maintainers behind the open source components you rely on to address this challenge. Tidelift partners directly with the maintainers of thousands of the most-relied-upon open source packages and pays them to document and validate the secure software development practices they follow—including release guidance, vulnerability reporting and disclosure policies, licensing information, and more.
Tidelift’s open source package intelligence data is researched and validated by Tidelift and our paid maintainer partners and available via the Tidelift Subscription. Tidelift automates the data collection, curates and structures the data, and provides APIs to easily integrate with existing workflows and business intelligence tools.
Read how leading organizations use Tidelift open source intelligence to proactively improve supply chain health and security.
The best way to reduce future risk is to build with more secure and better maintained components to begin with. Before bringing new open source components into your organization, you should be able to answer questions such as:
With Tidelift’s open source intelligence, organizations can easily answer questions like these about the secure software development practices of millions of open source packages. For thousands of the most-relied-upon open source packages, we pay maintainers to meet enterprise level security and maintenance standards (like those, including standards aligned with the NIST Secure Software Development Framework) and keep their packages maintained to those standards into the future.
Open source packages are constantly changing and it is important to monitor and review updates. Packages can change licenses. Maintainers can walk away from a project if they’re not being paid for their work. Direct and transitive dependencies can cause an issue-free component to have problems when used in production. What once was the best of breed framework for doing something can fall out of favor, while its maintainers move on and the project is deprecated. These are all important leading indicators to the potential of an open source component being compromised by a vulnerability.
Building on healthy, secure open source software requires ongoing monitoring for updates and changes that impact the packages you use. Our customers are using Tidelift’s open source intelligence in their ongoing monitoring workflows to stay informed about the packages they use, and get early warning when changes take place that might make a package risky to continue using in their applications.
Gathering open source information one package at a time is painstaking, time consuming, and expensive. Tidelift has built a unified, cross-ecosystem data model at scale, across millions of open source packages.
Gain first-party data about secure software development practices, release guidance, licensing information, and more, validated by Tidelift and our paid maintainer partners.
Access these insights via APIs, with the flexibility to pull it into your preferred workflows and tools.