Tidelift Subscription scope of support

Tidelift uses a layered approach to keep your open source dependencies trouble-free and enterprise-ready.

  • Tools. We provide tools to keep track of all the dependencies you use, flag issues, and enforce policies.

  • Management. We manage core, mission-critical packages on your behalf, including researching and resolving issues so you don't have to anymore.

  • Maintainers. We recruit maintainers for many important projects and pay them to proactively prevent problems and address the root causes of issues.

These three layers, tools, management, and maintainers, make up a complete solution based on open source best practices.

version-guidance-q32019-2

Our offering in detail

Security updates

security-q32019

Our tools report any vulnerable releases you're using, along with the vulnerability details, and recommend a fixed release. Our policy configuration allows you to fail your continuous integration or block pull requests if a branch introduces new vulnerabilities.

Because we're managing core packages for you, in addition to finding vulnerabilities, we'll create a fixed release for you when the open source project does not (this is especially relevant for the 20% or so of projects with no active maintainer).

 

Our network of maintainers takes the following proactive steps to secure their projects:

  • Set up a confidential security reporting address and follow coordinated disclosure best practices to prevent zero-day fire-drills.
  • Set up 2-factor authentication to reduce the risk of trojan horse attacks.
  • Coordinate with Tidelift’s security response team to release security fixes in a timely fashion.

 

Licensing verification and indemnification

Our tools extract open source license information from source repositories and package metadata across millions of packages, and aggregate it to make policy enforcement easier. Policies can block specific licenses as well as packages with missing license information.

Because we're managing core packages for you, we uncover "false positive" license problems by researching missing, inconsistent, or non-SPDX-compliant license information to identify the correct license and tag the package accordingly.

Our network of maintainers takes these additional steps:

  • Confirm correctness of the SPDX license tags on their package.
  • Should a subscriber violate an open source license, participating maintainers agree to work with the subscriber to resolve the problem prior to filing a lawsuit. This approach is based on the GPL Cooperation Commitment.
  • Participating maintainers certify the authorship of code they write. This approach is based on the Developer Certificate of Origin.

licensing-v2For packages whose maintainers partner with us, Tidelift indemnifies customers against claims that these packages contain copyright violations, such as copied code or an open source license violation.

Tidelift may respond to such a claim by (i) replacing the infringing portion of the software, (ii) modifying the software so that its use becomes non-infringing, (iii) obtaining the rights necessary for a customer to continue its use of the software without interruption or (iv) defending the customer (that is, hire and pay for a lawyer) against the claim and paying any resulting damages (up to a certain cap).

Indemnities are capped based on an organization’s specific needs and subscription level.

 

Maintenance and code improvement

Our tools monitor development activity on the packages you use and flag packages that appear to be unmaintained. Our tools also flag the use of outdated release streams that no longer have security updates available.

Because we're managing core packages for you, when those packages pull in unmaintained dependencies we provide security fixes if necessary. This makes it much less urgent to port away from unmaintained dependencies, which can be an expensive proposition. We also actively search for replacement maintainers to support these packages.

Our participating maintainers actively maintain their packages and make new releases in accordance with Tidelift best practices.

maintenance-q32019-2

 

Package selection and version guidance

version-guidance-q32019-2Our tools include a quick "reference card" for any package you're using or considering, with key statistics and quick links to relevant pages such as the package's GitHub repository. The tools guide you away from packages that look deprecated, unmaintained, or unlicensed. They also map what's known about each release of a package and guide you to the best release. This is generally the latest stable release compatible with the release you're already using unless it's known to have critical bugs or vulnerabilities, in which case an older release may be recommended.

Because we're managing core packages for you, we identify packages with a "dead end" where there's no way to update to avoid critical bugs or vulnerabilities, and recommend the best way out.

We ask our participating maintainers to guide you to the versions you should be using:

  • Provide release notes for each new release in a standardized format, which we aggregate into a centralized feed for our subscribers.
  • Organize their releases by binary compatibility, and annotate the security update policy for each release stream.
  • Mark releases that have known critical bugs so subscribers can avoid them.

Roadmap input

We connect you to our network of maintainers and they're happy to hear from people who are paying them. Because they earn more as more subscribers use their package, it is in their best interests to keep subscribers happy.

The Tidelift Subscription includes a way for you to relay feedback. Deeper consulting engagements are subject to maintainer availability but Tidelift can help arrange consulting for work such as:

  • Issue resolution or feature development
  • In-depth training or advice
  • Creation of custom forked or patched versions of packages

roadmap-q32019-2

Our participating maintainers do not agree to give Tidelift or our subscribers control over their projects' technical roadmap, and in fact that wouldn't be in most subscribers' best interest. Maintainers would love to understand your use case but open source communities are most effective when they balance all stakeholders' needs.

Tooling and cloud integration

cloud-q32019-2

We offer "out of the box" support for GitHub.com, and a simple API to integrate with any continuous integration system including Jenkins, Travis CI, BitBucket, and GitLab. Our customer success team helps every customer configure their tools to work with Tidelift.

Scope of support

Tidelift's developer tools and APIs are used to scan, track, and analyze your dependencies. These tools are created by Tidelift, and are distinct from the open source packages which make up your dependencies. Sign in to your Tidelift account to access our tools and APIs.

Tidelift tools support includes:

  • Guidance through initial onboarding and setup
  • Assistance with issues encountered during regular usage
  • Explaining and clarifying features and configuration
  • Troubleshooting outages and issues with the product

 

The Tidelift developer tools support dependency analysis for these ecosystems

netlogo

 

We have a number of other ecosystems which are in beta; we welcome your feedback and experiences with those ecosystems, but they are not yet subject to our service level agreement.

 

To be covered, open source dependencies must meet these criteria:

  • They must be included in your Tidelift scan results (so we know what coverage to provide)
  • They must be in one of the currently-covered ecosystems
  • You must be using a standard version of the package (not a fork or other modification)

For core, mission-critical packages widely used by our customers, we provide proactive license research and security updates.

Our tools will also mark these packages for you in your dependency list.

For many packages we have a business relationship with the maintainer. The current list can be found here. Our tools will also mark these packages for you in your dependency list.

How to request support

If you're a Tidelift subscriber, please email support@tidelift.com and let us know how we can help! We are eager to know about any issue with our tools or your open source dependencies, and do what we can to help.

When seeking support as part of your Tidelift Subscription, please do not contact an upstream project directly (for example by filing a GitHub issue). To ensure our participating maintainers know you're a subscriber and ensure we can track our SLA performance, we would like all Tidelift-related requests to originate through Tidelift channels.

 Support Service Level Agreement

Hours 9am–5pm ET on business days
Access Email
Severity 1 4 hours acknowledgement time
Severity 2 8 hours
Severity  3 24 hours
Severity 4 48 hours

Severity Definitions

Severity 1 Any issue resulting in a full outage to the subscriber's production service.
Severity 2 An issue with a high impact on a subscriber's production service or a severe impact on their non-critical business operations.
Severity  3 An issue with a moderate impact on the subscriber's business operations or that disrupts a planned deployment.
Severity 4 An issue or question with low to no immediate impact on subscriber's business operations.

How the Tidelift Subscription pricing works

The Tidelift Subscription uses a per development team pricing model. Your subscription is priced based on the number of development teams in your organization who are developing applications using the open source dependencies that are covered by the Tidelift Subscription, and the number of developers on those teams. We define a single team as up to 25 developers contributing to a shared application code base. 

So if you have 200 developers who are using open source components in the applications they build, you would need a subscription that covers at least 200 developers. You can find the current details about our pricing on our pricing page or by contacting a member of our sales team.

 

 

tidelift-different-q32019