Introducing catalogs: customized, managed open source. Free demo.

Scope of support

Catalog-outlines-1

The Tidelift Subscription is the only way to get managed open source—backed by maintainers. Create customizable catalogs of known-good, proactively maintained JavaScript, Python, Java, PHP, Ruby, and .NET components.

What's supported

The Tidelift Subscription includes

  • a service for maintaining customized catalogs of open source package releases

  • a set of Tidelift-managed catalogs to use as a foundation for your customized catalogs

Each catalog contains a set of package releases and defines standards that those releases must meet. Managing a catalog involves updating the set of included package releases as required to keep it up to standard and meet user needs.

Tidelift's service and APIs are used to build customized catalogs, scan your own software projects, and align those projects to your catalogs. This service is created by Tidelift, and is distinct from the open source packages which make up your dependencies. Sign in to your Tidelift account to access this service.

Support for the Tidelift service includes:

  • Guidance through initial onboarding and setup
  • Assistance with issues encountered during regular usage
  • Explaining and clarifying features and configuration
  • Troubleshooting outages and issues with the product

The Tidelift service supports catalogs and bill-of-materials tracking for these package managers:

netlogo

We have a number of other package managers which are in beta; we welcome your feedback and experiences with those, but they are not yet subject to our service level agreement.

Support for Tidelift-managed catalogs includes:

Working with maintainers, Tidelift manages a set of catalogs as part of the Tidelift service. Subscribers can build on the work we do in these catalogs to save time and effort managing their own customized catalogs.

All Tidelift-managed catalogs are included in the Tidelift Subscription.

Each Tidelift-managed catalog documents its own standards. A catalog contains a set of package releases, and Tidelift will update the releases in the catalog as required such that the catalog continues to meet its defined standards.

Included catalogs

Working together with our network of partnered independent open source maintainers, Tidelift currently manages three catalogs.

Our license-annotated catalog has machine-readable, SPDX-format licenses on all packages in the catalog, enabling subscribers to apply an automated license policy. This catalog lets customers screen out unacceptable licenses without independently researching thousands of false positives—packages often have acceptable licenses that are not properly annotated. Our license annotations are advised and vetted by the maintainers behind Tidelift.

Our security-advised catalog provides advice and remediation around security vulnerabilities. Our network of maintainers helps us to provide the best advice, in particular avoiding false positives.

  • Where possible, the releases in the catalog are updated to ensure that no vulnerabilities apply.
  • Where not possible, we document workarounds for each vulnerability.
  • For packages with no active maintainer or where the maintainer has been unresponsive to a vulnerability, as a last resort we provide custom patches.
  • We work with maintainers to document which release streams receive security updates and end-of-life dates on those streams.
  • We work with maintainers to proactively improve project security:
    • Maintainers have a confidential security reporting address and follow coordinated disclosure best-practices to reduce subscriber exposure to zero-day vulnerabilities.
    • Maintainers set up 2-factor authentication to reduce the risk of trojan horse attacks.
    • Maintainers coordinate with Tidelift’s security response team to release security fixes in a timely fashion.

Our indemnified catalog provides IP protection.

  • Should a subscriber violate an open source license, participating maintainers agree to work with the subscriber to resolve the problem prior to filing a lawsuit. This approach is based on the GPL Cooperation Commitment.
  • Participating maintainers certify the authorship of code they write. This approach is based on the Developer Certificate of Origin.
  • For packages whose maintainers partner with us, Tidelift indemnifies customers against claims that these packages contain copyright violations, such as copied code or an open source license violation.
  • Tidelift may respond to such a claim by (i) replacing the infringing portion of the software, (ii) modifying the software so that its use becomes non-infringing, (iii) obtaining the rights necessary for a customer to continue its use of the software without interruption or (iv) defending the customer (that is, hire and pay for a lawyer) against the claim and paying any resulting damages (up to a certain cap).
  • Indemnities are capped based on an organization’s specific needs and subscription level.

How to request support

If you're a Tidelift subscriber, please email support@tidelift.com and let us know how we can help! We are eager to know about any issue with our tools or your open source dependencies, and will do what we can to help.

When seeking support as part of your Tidelift Subscription, please do not contact an upstream project directly (for example by filing a GitHub issue). To ensure our participating maintainers know you're a subscriber and ensure we can track our SLA performance, we would like all Tidelift-related requests to originate through Tidelift channels.

 Support Service Level Agreement

Hours 9am–5pm ET on business days
Access Email
Severity 1 4 hours acknowledgement time
Severity 2 8 hours
Severity  3 24 hours
Severity 4 48 hours

Severity Definitions

Severity 1 Any issue resulting in a full outage to the subscriber's production service.
Severity 2 An issue with a high impact on a subscriber's production service or a severe impact on their non-critical business operations.
Severity  3 An issue with a moderate impact on the subscriber's business operations or that disrupts a planned deployment.
Severity 4 An issue or question with low to no immediate impact on subscriber's business operations.

How the Tidelift Subscription pricing works

The Tidelift Subscription uses a per development team pricing model. Your subscription is priced based on the number of development teams in your organization who are developing applications using the open source dependencies that are covered by the Tidelift Subscription, and the number of developers on those teams. We define a single team as up to 25 developers contributing to a shared application code base. 

So if you have 200 developers who are using open source components in the applications they build, you would need a subscription that covers at least 200 developers. You can find the current details on our pricing page or by contacting a member of our sales team.

 

 

tidelift-different-q32019