The Tidelift Subscription

Build your applications with enterprise-grade open source

Pricing | Free demo | Documentation | Scope of support | Supported packages

Focus your time and effort on what you’re building—not what you’re building it with.

The Tidelift Subscription is a managed open source subscription for application dependencies covering thousands of open source projects across JavaScript, Python, Java, PHP, Ruby, .NET, and more.

Speed up application development, save money, and reduce risk when building apps with open source.

Free Demo

Open source is everywhere.

92% of enterprise software projects include open source dependencies, and of those, as much as 70% of the code is open source. There’s good reason for this: the bulk of innovation in software today is happening in open source.

Open source is huge, and changing

There are tens of thousands of open source dependencies in use across global organizations, and each one can have scores of different versions. Not all of these dependencies are going to be appropriate for your organization, for a number of reasons:

  • Their licenses may be incomplete, inaccurate, or incompatible with your business model and IP policies.
  • They may contain security vulnerabilities that make them inappropriate for use given your risk profile.
  • They may have an uncertain future and are at risk of not being maintained at the level you require going forward. 
  • And if a dependency has none of these issues today, that may change over time.

 

open source application components

When we talk to organizations about how they are meeting these challenges, we learn they typically fall along a continuum from those who have no processes or policies in place to those with strict policies and scanning-based solutions in place.

Screen Shot 2020-07-07 at 2.50.27 PM

 

Distributed approach (move fast)

With this approach, developers on each team bring in new components on their own. If scanning tools are being used, the results are often ignored.

  • Upside: no roadblocks, devs can build and deploy quickly
  • Downside: creates possibility for maintenance and security nightmares

Centralized approach (stay safe)

With this approach, the organization tightly controls open source usage to avoid risk. Scanning tools block deployments until developers address concerns, which they can’t always do.

  • Upside: reduce risk, avoid becoming next Equifax
  • Downside: hard to move quickly and developers are frustrated

 

So what’s the ideal solution?

Your engineers need access to open source dependencies to build the applications your business users and customers need. Your business policies demand that those applications only be built with “good” dependencies. Determining which dependencies are “good” is an intense, on-going effort.

An ideal solution would:

  • Provide a set of “good” dependencies for each of the major frameworks or “stacks” your developers want to work with
  • Manage those sets of packages proactively as internal policies/standards and open source software evolves
  • Integrate with your build chain and minimize the disruption of your existing processes 
  • Incentivize the open source software development community to continue to maintain the packages your business depends on

This will all save your application development teams from the ongoing, manual effort of parsing painful scanner reports full of false positives and open source trivia, while mitigating the IP, vulnerability, and availability risks associated with using open source software. 

ideal-solution-tidelift

 

This is how the largest tech companies, the ones with the largest web presences and the need to maintain incredibly diverse infrastructure manage their open source dependencies. 

The Tidelift Subscription: managed open source—backed by maintainers

With Tidelift, you don’t have to choose between “move fast” or “stay safe.”  Because we partner with the independent creators of open source, our customers are able to have both at once.

How does it work?

Tidelift partners directly with the maintainers of thousands of open source components to manage them for you, satisfying the basic criteria you’d require for any commercial-grade software:

  • Security: Verified updates for zero-day vulnerabilities, coordinated security response, and immediate notifications of which of your applications are impacted, with the fix prepared for you. Like your phone, just “apply updates” to stay secure.
  • Licensing: Verified-accurate open source licenses (including IP indemnification) and customizable policy enforcement. Your up-to-date software “bill of materials” is always one click away.
  • Maintenance: Tidelift continuously guides you on your upgrade path, steering you towards the best packages and versions for your particular application. It’s like a GPS for open source software.

movefast-staysafe

 

Catalogs

A core element of the Tidelift solution is the concept of the catalog, which is a collection of approved packages that meet standards such as:

  1. Have clear and accurate licensing information
  2. Receive proactive security updates on an on-going basis
  3. Are actively managed by the open-source community.
  4. Any standards your organization defines.

Developers will always know what’s approved for use and can proactively check if their projects are aligned with their catalog using the Tidelift web app or Tidelift CLI.


CI/CD pipeline integration 

With a catalog in place, customers can choose from several mechanisms to keep their software projects aligned with the approved releases in the catalog:

  • The Tidelift CLI allows individual developers to check alignment at their desks, and request additions to the catalog;
  • A check in your CI/CD pipeline can verify catalog alignment;
  • Artifact managers such as JFrog Artifactory can be integrated with Tidelift to block not-in-catalog releases from your artifact repository, if desired.

 

Screen Shot 2020-07-08 at 3.28.10 PM

 

Bill of materials management

The Tidelift Subscription also provides bill of materials management, so you always know what package releases are used where. If you are made aware of a zero-day exploit in the wild, you can determine if it’s: 

  1. impacted your customer-facing app that contains personally identifiable customer information or...
  2. a dependency used in a self-contained back-office app that touches neither critical data nor processes

Screen Shot 2020-07-02 at 3.31.31 PM-1

 

 

Backed by maintainers

Tidelift works directly with the maintainers of the packages, compensating them for the work they do to keep packages enterprise-ready.

Screen Shot 2020-07-07 at 2.53.44 PM

 

Ready to see how it works?

Catalog-outlines