Tidelift Subscription scope of support

The Tidelift Subscription is a managed open source subscription that takes care of your open source dependencies for you—freeing your team to focus on building your own applications.

Scope of support for Tidelift developer tools

Tidelift's developer tools and APIs are used to scan, track, and analyze your dependencies. These tools are created by Tidelift, and are distinct from the open source packages which make up your dependencies. Sign in to your Tidelift account to access our tools and APIs.

Tidelift tools support includes:

  • Guidance through initial onboarding and setup.
  • Assistance with issues encountered during regular usage.
  • Explaining and clarifying features and configuration.
  • Troubleshooting outages and issues with the product.

Tidelift tools support does not include:

  • New feature development or tool customization.
  • Hands-on setup and configuration of your environment.


The Tidelift developer tools support dependency analysis for these ecosystems



We have a number of other ecosystems which are in beta; we welcome your feedback and experiences with those ecosystems, but they are not yet subject to our service level agreement.


Scope of support for your open source dependencies

To be covered, open source dependencies must meet these criteria:

  • They must be reported to us via the Tidelift tools (so we know what coverage to provide)
  • They must be in one of the currently-covered ecosystems
  • You must be using a standard version of the package (not a fork or other modification)


For all covered open source dependencies, we offer basic support which includes:

  • Notification and resolution of known security vulnerabilities impacting the packages you have reported to us.
  • On request, correction of missing machine-readable licensing information.
  • We provide suggestions about outdated dependencies.
  • We provide suggestions about unmaintained dependencies.
  • We provide suggestions about deprecated dependencies.


Lifted dependencies have additional assurances:

We have commercial relationships with many independent open source maintainers. When we have such a relationship, we call the package provided by those maintainers a lifted package. Lifted packages have the following additional assurances:


  • We ensure the package is actively maintained.
  • We provide a centralized feed of release notes for each new release of the package.
  • We inform you which release streams are actively maintained (meaning that critical fixes will be backported) and provide suggestions to avoid inactive streams.
  • We annotate releases which are known to have critical bugs and provide suggestions to avoid them.
  • On request, we will communicate roadmap input or other feedback to the upstream maintainers and let them know that the input comes from paying subscribers.


  • The package will follow coordinated disclosure best practices, including having a confidential security reporting address.
  • Participating maintainers will use two-factor authentication, where available, to reduce the risk of trojan horse attacks.


  • Participating maintainers verify all licensing metadata.
  • Should a subscriber violate an open source license, participating maintainers agree to work with the subscriber to resolve the problem prior to filing a lawsuit. This approach is based on the GPL Cooperation Commitment.
  • Participating maintainers certify the authorship of code they write. This approach is based on the Developer Certificate of Origin.

As part of your subscription, we also work to add more of the specific packages you use to the lifted list over time.

IP Indemnification

Tidelift indemnifies customers against claims that lifted packages contain copyright violations, such as copied code or an open source license violation.

Tidelift may respond to such a claim by (i) replacing the infringing portion of the software, (ii) modifying the software so that its use becomes non-infringing, (iii) obtaining the rights necessary for a customer to continue its use of the software without interruption or (iv) defending the customer (that is, hire and pay for a lawyer) against the claim and paying any resulting damages (up to a certain cap).

Indemnities are capped based on an organization’s specific needs and subscription level.

Support for open source dependencies does NOT include:

  • Issue resolution or feature development
  • Control over project technical roadmaps
  • Training or advice
  • Creation of custom forked or patched versions of packages









How to request support

If you're a Tidelift subscriber, please email support@tidelift.com and let us know how we can help! We are eager to know about any issue with our tools or your open source dependencies, and do what we can to help.

When seeking support as part of your Tidelift Subscription, please do not contact an upstream project directly (for example by filing a GitHub issue). To ensure our participating maintainers know you're a subscriber and ensure we can track our SLA performance, we would like all Tidelift-related requests to originate through Tidelift channels.

 Support Service Level Agreement

Hours 9am–5pm ET on business days
Access Email
Severity 1 4 hours acknowledgement time
Severity 2 8 hours
Severity  3 24 hours
Severity 4 48 hours

Severity Definitions

Severity 1 Any issue resulting in a full outage to the subscriber's production service.
Severity 2 An issue with a high impact on a subscriber's production service or a severe impact on their non-critical business operations.
Severity  3 An issue with a moderate impact on the subscriber's business operations or that disrupts a planned deployment.
Severity 4 An issue or question with low to no immediate impact on subscriber's business operations.