Tidelift’s partnered open source maintainers are paid to ensure their projects follow industry-standard secure software development practices (such as those found in the NIST Secure Software Development Framework and the OpenSSF Scorecards).
When an open source maintainer partners with Tidelift, they work with us to ensure that their project(s) meets an important set of industry, security, maintenance, and licensing standards; all of which help improve the overall health and resilience of the projects you rely on.
In addition to maintaining and fixing vulnerabilities in their packages, our partner maintainers help us improve and annotate the data avaialble through the Tidelift subscription. This data powers custom integrations, SBOM analysis, and custom policies.
Figure 1: Examples of maintainer tasks include annotating licenses, documenting security policies, properly tracking and communicating package dependencies, and implementing two-factor authentication.
First-party maintainer-sourced insights:
Enable 2FA on GitHub | Tells you that there is an additional layer of security—helping protect the package(s) from hacking. |
Enable 2FA in package manager | Provides an additional layer of security from hacking. |
Set source repository URL | Confirm that your teams are downloading package(s) from the correct repository. |
Review release managers | Provides added security that only reviewed and approved maintainers are authorized to have access to manage releases for the package(s). |
Review security vulnerabilities | Provides detailed, contextual feedback on the vulnerabilities found in the package(s), giving your teams the most accurate source of truth for the vulnerability. |
Set versioning scheme | Makes it easier to better understand which releases may have breaking changes. |
Verify license | Tells you the license type that has been assigned for the package(s). |
Create a discoverable security policy | Confirms that there is a process in place for handling vulnerabilities associated with the package(s), assuring that vulnerabilities in the packages you are using will be addressed and how. |
Create security maintenance plan | Provides information on which versions the maintainer is willing to provide security updates for. This helps your team better select which versions to use going forward. |
Create a fixed release | Ensures the maintainer(s) is committed to publishing a new release in the event of vulnerabilities in the package(s) or dependencies. |
NOTE: We will add new insights to this list over time with input from both our customers and partnered maintainers.