Tidelift is the only company that partners with open source maintainers and pays them to:
- Implement industry-leading secure software development practices and validate the practices they follow so organizations can have the same confidence in the security of their open source that they have in their own code.
- Contractually commit to continue these practices into the future so that organizations can confidently make long term investments in the packages they use.
Maintainers are the developers that are committing code every day to your applications — you cannot secure your software supply chain without this partnership.
What does that mean in practice?
When Tidelift partners with a maintainer of open source software that you use, you get guarantees relating to:
Secure development practices
Tidelift verifies maintainer identity, and pays maintainers to implement best practices around secure development for their software, including:
- Using multi-factor authentication when committing code and publishing releases
- Reviewing all maintainers who have access to publish releases to protect against potential malicious activity
- Publishing a security policy on how vulnerabilities are handled, and responding to security researcher reports
- Selecting / using an open source software license
Open source maintainers undertaking this work means fewer instances of unexpected supply chain attacks and the associated fire drills.
Continued maintenance and succession planning
Open source maintainers who partner with Tidelift are required to commit to longterm maintenance of their packages, and to provide fixes and new releases as appropriate.
If at any point a partnered maintainer wants or needs to step away from maintenance for any reason, they must provide written notice to Tidelift, we then work to ensure that packages maintain continuity of maintenance. See how Tidelift worked to ensure SockJS remained maintained.
Tidelift’s contractual partnership with maintainers means your dependencies will continue to be maintained, fixed, and updated.
Vulnerability fixes and insights
All maintainers that partner with Tidelift are required to provide a fixed release for any vulnerability that is discovered in their software. Maintainers document which releases will have security updates available, and a number of maintainers offer fixes for older releases on request.
Additionally, maintainers are required to provide detailed vulnerability recommendations for any discovered vulnerability, including details such as:
- How likely users are to be affected by the vulnerability
- Whether it only affects certain use cases, or certain methods
- What workarounds may exist
Figure 2: Example of vulnerability insights directly from maintainers
Open source maintainers undertaking this work means you won’t be left on the hook to fend for yourself when vulnerabilities do occur.
Ecosystem-wide improvements and uplift
By subscribing to Tidelift and paying maintainers for their work, our customers make it possible for maintainers to undertake a number of new initiatives that they otherwise wouldn't be able to. See how a java maintainer was able to rearchitect their code to remove an entire class of vulnerabilities or how working on supply chain security in urllib3 improved the entire python ecosystem.
Tidelift’s contractual partnership with maintainers ensures that the open source software you use is continuously improving, reducing burden related to vulnerabilities and upgrades on your developers. This streamlining makes new development quicker and easier, freeing up your team to focus more effectively on delivering business results.
If you are interested in learning more about how Tidelift works with our partnered open source maintainers (who we refer to as "lifters"), we recommend the following articles:
The above articles are part of a separate set of resources specifically for these partnered maintainers.
If you currently maintain an open source package and are interested in getting paid for the value you create, begin the process here.