<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=705633339897683&amp;ev=PageView&amp;noscript=1">

The Tidelift Subscription

Remove the risk to your organization's revenue, data, and customers from bad open source packages 

Using bad packages is slowing your team down

When you don’t have a continuous view of where end-of-lifed, abandoned, or insecure packages exist in your applications, your only defense is to scan for existing vulnerabilities and fix what you find.

Bad packages lead to more vulnerabilities—many of which are difficult to fix. This is slowing your application development team down, and creating additional invisible risk for your security team to manage.




Proactively reduce your organization’s reliance on bad packages

Tidelift takes a unique, data driven approach to addressing the issue of bad packages. Tidelift partners with the maintainers of thousands of the most-relied-upon open source packages and pays them to implement industry-leading secure software development practices and document the practices they follow. The result is a unique source of cross-ecosystem package intelligence that customers use to identify and eliminate bad packages.

Tidelift’s package intelligence can be easily integrated into your preferred workflows using our flexible APIs or by adopting our web UI and CLI capabilities.

Benefits of the Tidelift Subscription

Reduce s.r.

Reduce security risk

by eliminating attack entry points through bad packages

Improve p.

Improve productivity

by reducing vulnerability fire drills from insecure or undermaintained packages

Improve a.q.

Improve application quality 

by building with healthy and resilient open source packages

Increase o.e.

Increase operational efficiency 

by saving costly manual package evaluation time

Learn how one large organization saved over $1.6M in manual package evaluation time and eliminated over 3,000 points of risk in applications running in production.

Evaluating packages before pulling them in for application development

When researching and evaluating open source packages to use, Tidelift’s package recommendations provide an excellent starting point. The recommendation is a holistic evaluation of the package, and whether it is developed and maintained in a way that would make it a good fit for application development. 

It is also easy to undertake deeper package analysis with answers to questions such as: 

  • Does it conform to my organization’s license policies?
  • Is it actively maintained or is it deprecated?
  • Are the maintainers actively responding to security issues?
  • Are the maintainers producing new releases?
  • Are the maintainers supported by a foundation, a company, or other income sources?

Learn more about using our APIs to evaluate packages

Learn more about using our web UI and CLI to evaluate packages

Evaluate packages

Actively monitoring

Actively monitoring the open source packages in use

Open source packages are constantly changing and it is important to monitor and review updates after making the initial decision to use a package. Tidelift makes it possible to identify bad packages through early warning signs such as:

  • New release availability, leading to end-of-support for older versions
  • New versions released under different license types
  • Package maintenance status changes
    • Package marked as deprecated
    • Package marked as abandoned
  • Packages or versions getting impacted by vulnerabilities

Learn more about using our APIs to monitor packages

Learn more about using our web UI and CLI to monitor packages

Identifying and eliminating potentially bad packages already adopted

While it is ideal to identify and avoid bad packages in the first place, most organizations will have already adopted a significant number of packages without having done the upfront research.

Tidelift helps organizations evaluate their existing open source dependencies and prioritize the work to migrate away from bad packages by answering questions such as:

  • Is the package recommended or not?
  • Is the package marked abandoned, deprecated, or has an end-of-life date approaching?
  • Is the package utilizing the necessary secure development practices? 

Many maintainer partners also provide additional insights that can be used for prioritizing vulnerability remediation, including:

  • Is a CVE a false positive?
  • Are there specific recommendations for effective remediation? 

Learn more about using our APIs to eliminate bad packages

Learn more about using our web UI and CLI to eliminate bad packages

Identifying and eliminating


Maintainer Tatu Saloranta used income from Tidelift and its customers to completely rearchitect jackson-databind and eliminate the risk of RCE vulnerabilities.


Maintainer Jordan Harband saved minimist from deletion when its maintainer decided to delete their projects from GitHub.


Maintainer Seth Michael Larson was able to substantially improve urllib3 security practices thanks to income from Tidelift and its customers.


When SockJS maintainer Bryce Kahle took a new job that didn’t involve JavaScript, Asif Saif Uddin stepped in as maintainer, ensuring the project wasn’t abandoned.
Pillow: a Tidelift maintainer case story


Maintainer Jeffrey A. Clark significantly improved security practices used to maintain Pillow, a popular Python Image Library package downloaded 3 million times a day.


Maintainer Valeri Karpov of Mongoose implemented additional secure development practices and significantly improved the project’s OpenSSF scorecards score.
Apache Commons

Apache Commons

Maintainer Gary Gregory of Apache Commons used income from Tidelift and its customers to carve out  time to create a more robust security review process.

Reinforcing at-risk packages to keep them from becoming bad

Tidelift customers play a direct role in ensuring the packages they rely on keep getting better because package maintainers are paid based on factors that include customer usage. Maintainers use this income to improve the secure development practices they have in place, to document these practices, and to commit to maintaining them over time.

This means that customers can use open source with confidence, knowing that experienced maintainers have made the commitment to ensure the package follows enterprise level secure software development practices, and have the income they need to ensure it stays resilient and healthy into the future.

Learn more about how you can identify at-risk projects within your organization

Additional resources

750x400 (1)
Defense in depth: How to use Tidelift alongside your SCA tool

One question we get a lot when talking to customers: how does Tidelift go hand in hand with software composition analysis tools, like Black Duck or Snyk or Mend.io? Short answer: Tidelift is proactive, SCA is reactive.

Case story: EMPLOYERS® insurance works with Tidelift to improve technical hygiene and remediate Log4Shell vulnerability

When news of the critical vulnerability in popular Java logging tool Log4j broke, the team at EMPLOYERS® was ready.

1200x630 (26)
The 2023 Tidelift state of the open source maintainer report

Check out the new state of the open source maintainer report which included 11 key headlines coming out of our new survey of over 300 open source maintainers.