Jackson-databind is a critical Java package used by millions and relied upon by nearly 19,000 other open source projects. It faced significant security risks due to remote code execution vulnerabilities, prompting some to consider re-architecting their applications. Tidelift began supporting Tatu Saloranta, the project's maintainer, enabling him to implement secure development practices and re-architect the project to remove these vulnerabilities. This allowed Tidelift's customers to continue using jackson-databind without the risk of remote code execution, while also supporting the project's long-term health and security.
Jackson-databind is a heavily relied upon package in the Java ecosystem. It is downloaded almost 3 million times per month, and is a dependency for almost 19,000 other open source packages. Unfortunately, jackson-databind had been impacted by a large number of remote code execution vulnerabilities, leading to increased security risks. To lower this risk, many organizations had considered investing significant time and resources into re-architecting their applications to eliminate jackson-databind altogether.
Meet Tatu Saloranta, the maintainer of jackson-databind. Because many customers use his project, Tatu was able to start getting paid by Tidelift to implement enterprise-class secure software development practices and make a commitment to keep the project updated over time. Tatu also chose to use income from Tidelift to re-architect the project completely, effectively eliminating the remote code execution vulnerabilities. Because Tatu was paid for his work, Tidelift customers using jackson-databind no longer face risk from remote code execution vulnerabilities, and they didn't have to re-architect their applications. Now they can use jackson-databind with confidence, knowing they directly contributed to funding Tatu's efforts and are helping to ensure the project's health and security for the future.
50 Milk St, 16th Floor, Boston, MA 02109
.svg){kind=icon}