<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=705633339897683&amp;ev=PageView&amp;noscript=1">

The Tidelift Subscription

Proactively reduce organizational risk by making informed decisions about open source software 

HubSpot Video


Proactively evaluate the security, licensing and maintenance risks of open source software using Tidelift’s
centralized, structured, and continuously curated database of insights spanning millions of open source packages.

Schedule a demo

First-party maintainer-sourced data

Tidelift partners directly with the maintainers of thousands of the most popular open source packages and pays them to validate they follow secure development practices like those outlined by government and industry, such as the NIST Secure Software Development Practices and the OpenSSF Scorecards project.  This provides organizations with unique first-party, maintainer-sourced insights such as: 

  • Who has publish privileges on upstream package managers? 
  • How is the package ensuring only those who should push releases, are the ones doing so?
  • Does the package have multi-factor authentication enabled for both contributing code and publishing releases?
  • Detailed recommendations on vulnerability handling:
    • Are there available workarounds?
    • Are there specific affected methods and access patterns for a vulnerability(such as whether it affects usage in development and testing, or only production)?
    • Are issues false positives, and why?




automated data

Automated, structured, and centralized data

Tidelift aggregates data across multiple upstream package manager ecosystems and source repositories into a centralized and structured format. As part of this process, Tidelift enhances the data collected from various sources to produce insights such as: 

  • List of releases and release dates
  • Upstream license information
  • Upstream source repository location
  • Per-release dependencies, as specified in package manager metadata
  • Source repository maintenance (last commit date, contributions, issues, and pull requests over the past year)
  • OpenSSF scorecard information (whether releases are signed, whether binary artifacts are present, and more)


Tidelift human-researched data

The upstream data is analyzed and further researched by the Tidelift data science team with the aim of providing more contextualized insights for our customers. Packages and releases are analyzed on a number of criteria, producing insights such as: 

  • Is the package actively maintained?
  • Is there a security policy for the package?
  • Has the package been deprecated?
  • Is a new version a release or a prerelease?
  • Is the release affected by any vulnerability?
  • Has the release been removed from upstream?
  • Is the release more than 7 years old?
  • Is the maintenance team responsive to security issues?
human researched


Ensure stakeholders are able to respond to issues and vulnerabilities by giving them appropriate visibility of open source software usage across the organization.

Schedule a demo

Centralized dynamic software bills of materials (SBOMs)

Tidelift provides a detailed view into the open source components the organization is using along with the transitive dependencies being pulled into your software development lifecycle. SBOMs include insights such as:

  • Release and verified, SPDX formatted license information
  • Understanding how the release came into your software (dependency chains)
  • CycloneDX and SPDX format imports and exports
centralized SBOMs

cross SBOM

Cross-SBOM visibility

Organizations have access to granular mapping of specific open source packages being used across individual applications, including:

  • Runtime or test usage 
  • Visibility to see if a particular library meets organizational policies
  • Security vulnerabilities and licensing issues

Dependency chains

With Tidelift, organizations get advanced visibility into whether a dependency is direct or transitive with the ability to identify how specific dependencies are being pulled into their code.

dependency chains


Mitigate long-term organizational risk by standardizing open source software management practices and policies across the organization.

Schedule a demo


Tidelift’s built-in security standards provide guidance for developers on what releases are allowed within the organization, based on our continuous evaluation and decision-making. Exceptions can also be created for specific use cases not impacted by a vulnerability.

security management

licensing management


Included out-of-the-box licensing templates ensure developers have the guidance they need to use packages with approved licenses, preventing the organization from being exposed to unexpected and unwanted legal risk.


Organizations can also implement maintenance standards that guide developers away from using deprecated or out-of-date package versions.

maintenance management

Additional resources

750x400 (1)
Defense in depth: How to use Tidelift alongside your SCA tool

One question we get a lot when talking to customers: how does Tidelift go hand in hand with software composition analysis tools, like Black Duck or Snyk or Mend.io? Short answer: Tidelift is proactive, SCA is reactive.

New video story: How Distributive uses Tidelift to maximize open source security and resilience

Within days of using the Tidelift application, the Distributive team found a potential vulnerability that npm-audit hadn’t, and quickly and safely fixed those issues with Tidelift’s CLI tool.

1200x630 (26)
The 2023 Tidelift state of the open source maintainer report

Check out the new state of the open source maintainer report which included 11 key headlines coming out of our new survey of over 300 open source maintainers.