<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=705633339897683&amp;ev=PageView&amp;noscript=1">

The Tidelift Subscription

Remove the risk to your organization's revenue, data, and customers from bad open source packages 

Read case stories  Schedule a demo

 

Using bad packages is slowing your team down

When you don’t have a continuous view of where end-of-lifed, abandoned, or insecure packages exist in your applications, your only defense is to scan for existing vulnerabilities and fix what you find.

Bad packages lead to more vulnerabilities—many of which are difficult to fix. This is slowing your application development team down, and creating additional invisible risk for your security team to manage.

Tidelift_HomepageAssets_a01v01_BadPackages

Tidelift_HomepageAssets_a01v01_Proactive

 

Proactively reduce your organization’s reliance on bad packages

Tidelift takes a unique, data driven approach to addressing the issue of bad packages. Tidelift partners with the maintainers of thousands of the most-relied-upon open source packages and pays them to implement industry-leading secure software development practices and document the practices they follow. The result is a unique source of cross-ecosystem package intelligence that customers use to identify and eliminate bad packages.

Tidelift’s package intelligence can be easily integrated into your preferred workflows using our flexible APIs or by adopting our web UI and CLI capabilities.

Learn more about Tidelift’s partnership with open source maintainers

Benefits of the Tidelift Subscription

Reduce s.r.

Reduce security risk

by eliminating attack entry points through bad packages

Improve p.

Improve productivity

by reducing vulnerability fire drills from insecure or undermaintained packages

Improve a.q.

Improve application quality 

by building with healthy and resilient open source packages

Increase o.e.

Increase operational efficiency 

by saving costly manual package evaluation time

Learn how one large organization saved over $1.6M in manual package evaluation time and eliminated over 3,000 points of risk in applications running in production.

Read the story

Evaluating packages before pulling them in for application development

When researching and evaluating open source packages to use, Tidelift’s package recommendations provide an excellent starting point. The recommendation is a holistic evaluation of the package, and whether it is developed and maintained in a way that would make it a good fit for application development. 

It is also easy to undertake deeper package analysis with answers to questions such as: 

  • Does it conform to my organization’s license policies?
  • Is it actively maintained or is it deprecated?
  • Are the maintainers actively responding to security issues?
  • Are the maintainers producing new releases?
  • Are the maintainers supported by a foundation, a company, or other income sources?

Learn more

Evaluate packages

Actively monitoring

Actively monitoring the open source packages in use

Open source packages are constantly changing and it is important to monitor and review updates after making the initial decision to use a package. Tidelift makes it possible to identify bad packages through early warning signs such as:

  • New release availability, leading to end-of-support for older versions
  • New versions released under different license types
  • Package maintenance status changes
    • Package marked as deprecated
    • Package marked as abandoned
  • Packages or versions getting impacted by vulnerabilities

Learn more

Identifying and eliminating potentially bad packages already adopted

While it is ideal to identify and avoid bad packages in the first place, most organizations will have already adopted a significant number of packages without having done the upfront research.

Tidelift helps organizations evaluate their existing open source dependencies and prioritize the work to migrate away from bad packages by answering questions such as:

  • Is the package recommended or not?
  • Is the package marked abandoned, deprecated, or has an end-of-life date approaching?
  • Is the package utilizing the necessary secure development practices? 

Many maintainer partners also provide additional insights that can be used for prioritizing vulnerability remediation, including:

  • Is a CVE a false positive?
  • Are there specific recommendations for effective remediation? 

Learn more about using our APIs to eliminate bad packages

Learn more about using our web UI and CLI to eliminate bad packages

Identifying and eliminating
jackson-databind

jackson-databind

Maintainer Tatu Saloranta used income from Tidelift and its customers to completely rearchitect jackson-databind and eliminate the risk of RCE vulnerabilities.
READ THE STORY
minimist

minimist

Maintainer Jordan Harband saved minimist from deletion when its maintainer decided to delete their projects from GitHub.
READ THE STORY
urllib3banner_github-1

urllib3

Maintainer Seth Michael Larson was able to substantially improve urllib3 security practices thanks to income from Tidelift and its customers.
READ THE STORY
sockjs

SockJS

When SockJS maintainer Bryce Kahle took a new job that didn’t involve JavaScript, Asif Saif Uddin stepped in as maintainer, ensuring the project wasn’t abandoned.
READ THE STORY
jordan-harband-javascript-logo

Jordan Harband

Maintainer Jordan Harband used income from Tidelift and its customers to consistently maintain over 450 JavaScript packages during good times and bad.
Read the story
Pillow: a Tidelift maintainer case story

Pillow

Maintainer Jeffrey A. Clark significantly improved security practices used to maintain Pillow, a popular Python Image Library package downloaded 3 million times a day.
READ THE STORY
mongoose

Mongoose

Maintainer Valeri Karpov of Mongoose implemented additional secure development practices and significantly improved the project’s OpenSSF scorecards score.
READ THE STORY
Apache Commons

Apache Commons

Maintainer Gary Gregory of Apache Commons used income from Tidelift and its customers to carve out  time to create a more robust security review process.
READ THE STORY

Reinforcing at-risk packages to keep them from becoming bad

Tidelift customers play a direct role in ensuring the packages they rely on keep getting better because package maintainers are paid based on factors that include customer usage. Maintainers use this income to improve the secure development practices they have in place, to document these practices, and to commit to maintaining them over time.

This means that customers can use open source with confidence, knowing that experienced maintainers have made the commitment to ensure the package follows enterprise level secure software development practices, and have the income they need to ensure it stays resilient and healthy into the future.

Learn more about how you can identify at-risk projects within your organization

Additional resources

2024-survey-report-1200x628
The 2024 Tidelift state of the open source maintainer report

The results of the 2024 Tidelift state of the open source maintainer report are live! In this year's survey, we identified 12 big headlines out of the data we collected from 400 open source maintainers.

Read now
Employers_case_story
Case story: EMPLOYERS® insurance works with Tidelift to improve technical hygiene and remediate Log4Shell vulnerability

When news of the critical vulnerability in popular Java logging tool Log4j broke, the team at EMPLOYERS® was ready.

Read now
Tidelift_WebinarGraphics_social-Oct-07-2024-07-11-55-6309-PM
Open source security through the lens of Tidelift

Cisco’s internal development teams, using Corona enhanced with open source metadata provided by Tidelift, can now access insightful package metadata and gain additional insights into vulnerabilities. 

Read now
See all resources