The Tidelift Subscription is the only way to get managed open source—backed by maintainers. Create customizable catalogs of known-good, proactively maintained JavaScript, Python, Java, PHP, Ruby, and .NET components.

What's supported

The Tidelift Subscription includes

• a service for maintaining customized catalogs of open source package releases

• a set of Tidelift-managed catalogs to use as a foundation for your customized catalogs

Each catalog contains a set of package releases and defines standards that those releases must meet. Managing a catalog involves updating the set of included package releases as required to keep it up to standard and meet user needs.

Tidelift's service and APIs are used to build customized catalogs, scan your own software projects, and align those projects to your catalogs. This service is created by Tidelift, and is distinct from the open source packages which make up your dependencies. Sign in to your Tidelift account to access this service.

Support for the Tidelift service includes:

• Guidance through initial onboarding and setup
• Assistance with issues encountered during regular usage
• Explaining and clarifying features and configuration
• Troubleshooting outages and issues with the product

The Tidelift service supports catalogs and bill-of-materials tracking for these package managers:

We have a number of other package managers which are in beta; we welcome your feedback and experiences with those, but they are not yet subject to our service level agreement.

Support for Tidelift-managed catalogs includes:

Working with maintainers, Tidelift manages a set of catalogs as part of the Tidelift service. Subscribers can build on the work we do in these catalogs to save time and effort managing their own customized catalogs.

All Tidelift-managed catalogs are included in the Tidelift Subscription.

Each Tidelift-managed catalog documents its own standards. A catalog contains a set of package releases, and Tidelift will update the releases in the catalog as required such that the catalog continues to meet its defined standards.

Included catalogs

Working together with our network of partnered independent open source maintainers, Tidelift currently manages three catalogs.

Our license-annotated catalog has machine-readable, SPDX-format licenses on all packages in the catalog, enabling subscribers to apply an automated license policy. This catalog lets customers screen out unacceptable licenses without independently researching thousands of false positives—packages often have acceptable licenses that are not properly annotated. Our license annotations are advised and vetted by the maintainers behind Tidelift.

Our security-advised catalog provides advice and remediation around security vulnerabilities. Our network of maintainers helps us to provide the best advice, in particular avoiding false positives.

• Where possible, the releases in the catalog are updated to ensure that no vulnerabilities apply.
• Where not possible, we document workarounds for each vulnerability.
• For packages with no active maintainer or where the maintainer has been unresponsive to a vulnerability, as a last resort we provide custom patches.
• We work with maintainers to document which release streams receive security updates and end-of-life dates on those streams.
• We work with maintainers to proactively improve project security:
• Maintainers have a confidential security reporting address and follow coordinated disclosure best-practices to reduce subscriber exposure to zero-day vulnerabilities.
• Maintainers set up 2-factor authentication to reduce the risk of trojan horse attacks.
• Maintainers coordinate with Tidelift’s security response team to release security fixes in a timely fashion.

Our indemnified catalog provides IP protection.

• Should a subscriber violate an open source license, participating maintainers agree to work with the subscriber to resolve the problem prior to filing a lawsuit. This approach is based on the GPL Cooperation Commitment.
• Participating maintainers certify the authorship of code they write. This approach is based on the Developer Certificate of Origin.
• For packages whose maintainers partner with us, Tidelift indemnifies customers against claims that these packages contain copyright violations, such as copied code or an open source license violation.
• Tidelift may respond to such a claim by (i) replacing the infringing portion of the software, (ii) modifying the software so that its use becomes non-infringing, (iii) obtaining the rights necessary for a customer to continue its use of the software without interruption or (iv) defending the customer (that is, hire and pay for a lawyer) against the claim and paying any resulting damages (up to a certain cap).
• Indemnities are capped based on an organization’s specific needs and subscription level.