About the Tidelift maintainer advantage

Tidelift is the only company that partners with open source maintainers and pays them to:

  • Implement industry-leading secure software development practices and validate the practices they follow so organizations can have the same confidence in the security of their open source that they have in their own code.
  • Contractually commit to continue these practices into the future so that organizations can confidently make long term investments in the packages they use.

What does that mean in practice?

When Tidelift partners with a maintainer of open source software that you use, you get guarantees relating to:

Secure development practices

Tidelift verifies maintainer identity, and requires that all maintainers implement best practices around secure development for their software, including:

  • Using multi-factor authentication when committing code and publishing releases
  • Reviewing all maintainers who have access to publish releases to protect against unwanted access
  • Publishing a security policy on how vulnerabilities are handled
  • Clearly defining their software license

Tidelift works with maintainers to adopt new secure development practices as they become more common.

The Tidelift maintainer advantage means fewer instances of unexpected supply chain attacks out of left field.

Continued maintenance and succession planning

Open source maintainers who partner with Tidelift are required to commit to longterm maintenance of their packages, and providing fixes and new releases as appropriate. 

If at any point a partnered maintainer wants or needs to step away from maintenance for any reason, they must provide written notice to Tidelift, we then work to ensure that packages maintain continuity of maintenance. See how Tidelift worked to ensure SockJS remained maintained.

The Tidelift maintainer advantage means your dependencies will continue to be maintained, fixed, and updated.

Vulnerability fixes and insights

All maintainers that partner with Tidelift are required to provide a fixed release for any vulnerability that is discovered in their software.  Maintainers document which releases will have security updates available, and a number of maintainers offer fixes for older releases on request.

Additionally, maintainers are required to provide detailed vulnerability recommendations for any discovered vulnerability, including details such as:

  • How likely users are to be affected by the vulnerability
  • Whether it only affects certain use cases, or certain methods
  • What workarounds may exist

The Tidelift maintainer advantage means you won’t be left on the hook to fend for yourself when vulnerabilities do occur. 

Ecosystem-wide improvements and uplift

By subscribing to Tidelift and paying maintainers for their work, our customers make it possible for  maintainers to undertake a number of new initiatives that they otherwise wouldn't be able to. See how a java maintainer was able to rearchitect their code to remove an entire class of vulnerabilities or how working on supply chain security in urllib3 improved the entire python ecosystem.

The Tidelift maintainer advantage ensures that the open source software you use is continuously improving, reducing burden related to vulnerabilities and upgrades on your developers. This streamlining makes new development quicker and easier, freeing up your team to focus more effectively on delivering business results.


If you are interested in learning more about how Tidelift works with our partnered open source maintainers (who we refer to as "lifters"), we recommend the following articles:

The above articles are part of a separate set of resources specifically for these partnered maintainers.

If you currently maintain an open source package and are interested in getting paid for the value you create, begin the process here

 

Was this article helpful?
1 out of 1 found this helpful

Comments

0 comments

Article is closed for comments.

Articles in this section