Tools. We provide tools to keep track of all the dependencies you use, flag issues, and enforce policies.
Management. We manage core, mission-critical packages on your behalf, including researching and resolving issues so you don't have to anymore.
Maintainers. We recruit maintainers for many important projects and pay them to proactively prevent problems and address the root causes of issues.
These three layers, tools, management, and maintainers, make up a complete solution based on open source best practices.
Our tools report any vulnerable releases you're using, along with the vulnerability details, and recommend a fixed release. Our policy configuration allows you to fail your continuous integration or block pull requests if a branch introduces new vulnerabilities.
Because we're managing core packages for you, in addition to finding vulnerabilities, we'll create a fixed release for you when the open source project does not (this is especially relevant for the 20% or so of projects with no active maintainer).
Our network of maintainers takes the following proactive steps to secure their projects:
Our tools extract open source license information from source repositories and package metadata across millions of packages, and aggregate it to make policy enforcement easier. Policies can block specific licenses as well as packages with missing license information.
Because we're managing core packages for you, we uncover "false positive" license problems by researching missing, inconsistent, or non-SPDX-compliant license information to identify the correct license and tag the package accordingly.
Our network of maintainers takes these additional steps:
For packages whose maintainers partner with us, Tidelift indemnifies customers against claims that these packages contain copyright violations, such as copied code or an open source license violation.
Tidelift may respond to such a claim by (i) replacing the infringing portion of the software, (ii) modifying the software so that its use becomes non-infringing, (iii) obtaining the rights necessary for a customer to continue its use of the software without interruption or (iv) defending the customer (that is, hire and pay for a lawyer) against the claim and paying any resulting damages (up to a certain cap).
Indemnities are capped based on an organization’s specific needs and subscription level.
Our tools monitor development activity on the packages you use and flag packages that appear to be unmaintained. Our tools also flag the use of outdated release streams that no longer have security updates available.
Because we're managing core packages for you, when those packages pull in unmaintained dependencies we provide security fixes if necessary. This makes it much less urgent to port away from unmaintained dependencies, which can be an expensive proposition. We also actively search for replacement maintainers to support these packages.
Our participating maintainers actively maintain their packages and make new releases in accordance with Tidelift best practices.
Our tools include a quick "reference card" for any package you're using or considering, with key statistics and quick links to relevant pages such as the package's GitHub repository. The tools guide you away from packages that look deprecated, unmaintained, or unlicensed. They also map what's known about each release of a package and guide you to the best release. This is generally the latest stable release compatible with the release you're already using unless it's known to have critical bugs or vulnerabilities, in which case an older release may be recommended.
Because we're managing core packages for you, we identify packages with a "dead end" where there's no way to update to avoid critical bugs or vulnerabilities, and recommend the best way out.
We ask our participating maintainers to guide you to the versions you should be using:
We connect you to our network of maintainers and they're happy to hear from people who are paying them. Because they earn more as more subscribers use their package, it is in their best interests to keep subscribers happy.
The Tidelift Subscription includes a way for you to relay feedback. Deeper consulting engagements are subject to maintainer availability but Tidelift can help arrange consulting for work such as:
Our participating maintainers do not agree to give Tidelift or our subscribers control over their projects' technical roadmap, and in fact that wouldn't be in most subscribers' best interest. Maintainers would love to understand your use case but open source communities are most effective when they balance all stakeholders' needs.
We offer "out of the box" support for GitHub.com, and a simple API to integrate with any continuous integration system including Jenkins, Travis CI, BitBucket, and GitLab. Our customer success team helps every customer configure their tools to work with Tidelift.
Tidelift's developer tools and APIs are used to scan, track, and analyze your dependencies. These tools are created by Tidelift, and are distinct from the open source packages which make up your dependencies. Sign in to your Tidelift account to access our tools and APIs.
We have a number of other ecosystems which are in beta; we welcome your feedback and experiences with those ecosystems, but they are not yet subject to our service level agreement.
For core, mission-critical packages widely used by our customers, we provide proactive license research and security updates.
Our tools will also mark these packages for you in your dependency list.
For many packages we have a business relationship with the maintainer. The current list can be found here. Our tools will also mark these packages for you in your dependency list.
If you're a Tidelift subscriber, please email firstname.lastname@example.org and let us know how we can help! We are eager to know about any issue with our tools or your open source dependencies, and do what we can to help.
When seeking support as part of your Tidelift Subscription, please do not contact an upstream project directly (for example by filing a GitHub issue). To ensure our participating maintainers know you're a subscriber and ensure we can track our SLA performance, we would like all Tidelift-related requests to originate through Tidelift channels.
|Hours||9am–5pm ET on business days|
|Severity 1||4 hours acknowledgement time|
|Severity 2||8 hours|
|Severity 3||24 hours|
|Severity 4||48 hours|
|Severity 1||Any issue resulting in a full outage to the subscriber's production service.|
|Severity 2||An issue with a high impact on a subscriber's production service or a severe impact on their non-critical business operations.|
|Severity 3||An issue with a moderate impact on the subscriber's business operations or that disrupts a planned deployment.|
|Severity 4||An issue or question with low to no immediate impact on subscriber's business operations.|
The Tidelift Subscription uses a per development team pricing model. Your subscription is priced based on the number of development teams in your organization who are developing applications using the open source dependencies that are covered by the Tidelift Subscription, and the number of developers on those teams. We define a single team as up to 25 developers contributing to a shared application code base.
So if you have 200 developers who are using open source components in the applications they build, you would need a subscription that covers at least 200 developers. You can find the current details about our pricing on our pricing page or by contacting a member of our sales team.