<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=705633339897683&amp;ev=PageView&amp;noscript=1">

The Tidelift Subscription

Proactively reduce organizational risk by making informed decisions about open source software 

icon-green  

Insights

Proactively evaluate the security, licensing and maintenance risks of open source software using Tidelift’s
centralized, structured, and continuously curated database of insights spanning millions of open source packages.

Schedule a demo

Open source package research

The best way to reduce future risk is to build with more secure and better maintained components to begin with. Before bringing new open source components into your organization, you should be able to answer questions such as:

  • Does it conform to my organization’s license policies?
  • Is it actively maintained or is it deprecated?
  • Are the maintainers actively responding to security issues?
  • Are the maintainers producing new releases?
  • Are the maintainers supported by a foundation, a company, or other income sources?

With Tidelift’s open source intelligence, organizations can easily answer questions like these about the secure software development practices of millions of open source packages. For thousands of the most-relied-upon open source packages, we pay maintainers to meet enterprise level security and maintenance standards (like those, including standards aligned with the NIST Secure Software Development Framework) and keep their packages maintained to those standards into the future.

quality-checks-ui-1

 

urllib3-cli-example

 

Ongoing monitoring of open source software in use

Open source packages are constantly changing and it is important to monitor and review updates. Packages can change licenses. Maintainers can walk away from a project if they’re not being paid for their work. Direct and transitive dependencies can cause an issue-free component to have problems when used in production. What once was the best of breed framework for doing something can fall out of favor, while its maintainers move on and the project is deprecated. These are all important leading indicators to the potential of an open source component being compromised by a vulnerability.

Building on healthy, secure open source software requires ongoing monitoring for updates and changes that impact the packages you use. Our customers are using Tidelift’s open source intelligence in their ongoing monitoring workflows to stay informed about the packages they use, and get early warning when changes take place that might make a package risky to continue using in their applications. 

purple-eye  

Visibility

Ensure stakeholders are able to respond to issues and vulnerabilities by giving them appropriate visibility of open source software usage across the organization.

Schedule a demo

Centralized dynamic software bills of materials (SBOMs)

Tidelift provides a detailed view into the open source components the organization is using along with the transitive dependencies being pulled into your software development lifecycle. SBOMs include insights such as:

  • Release and verified, SPDX formatted license information
  • Understanding how the release came into your software (dependency chains)
  • CycloneDX and SPDX format imports and exports
centralized SBOMs

cross SBOM

Cross-SBOM visibility

Organizations have access to granular mapping of specific open source packages being used across individual applications, including:

  • Runtime or test usage 
  • Visibility to see if a particular library meets organizational policies
  • Security vulnerabilities and licensing issues

Dependency chains

With Tidelift, organizations get advanced visibility into whether a dependency is direct or transitive with the ability to identify how specific dependencies are being pulled into their code.

dependency chains
teal-user  

Management

Mitigate long-term organizational risk by standardizing open source software management practices and policies across the organization.

Schedule a demo

Security

Tidelift’s built-in security standards provide guidance for developers on what releases are allowed within the organization, based on our continuous evaluation and decision-making. Exceptions can also be created for specific use cases not impacted by a vulnerability.

security management

licensing management

Licensing

Included out-of-the-box licensing templates ensure developers have the guidance they need to use packages with approved licenses, preventing the organization from being exposed to unexpected and unwanted legal risk.

Maintenance

Organizations can also implement maintenance standards that guide developers away from using deprecated or out-of-date package versions.

maintenance management

Additional resources

750x400 (1)
Defense in depth: How to use Tidelift alongside your SCA tool

One question we get a lot when talking to customers: how does Tidelift go hand in hand with software composition analysis tools, like Black Duck or Snyk or Mend.io? Short answer: Tidelift is proactive, SCA is reactive.

distributive-case-story-1
New video story: How Distributive uses Tidelift to maximize open source security and resilience

Within days of using the Tidelift application, the Distributive team found a potential vulnerability that npm-audit hadn’t, and quickly and safely fixed those issues with Tidelift’s CLI tool.

1200x630 (26)
The 2023 Tidelift state of the open source maintainer report

Check out the new state of the open source maintainer report which included 11 key headlines coming out of our new survey of over 300 open source maintainers.