DevelopersDevSecOpsNewsOpen SourceSecurity

Tidelift Subscription Adds Advanced Open Source Intelligence Capabilities


Tidelift, a provider of solutions for improving the security and resilience of the open source software supply chain powering modern applications, recently announced a broad new set of capabilities as part of the Tidelift Subscription that expand customers’ ability to utilize Tidelift’s maintainer-validated data to make more informed decisions about open source packages and minimize open source-related risk.

“With open source making up the vast majority of the code in modern applications, and against the backdrop of several recent high-profile security vulnerabilities impacting open source, organizations are urgently seeking innovative ways to ensure their software supply chain is properly maintained and secure,” said Lauren Hanford, vice president of product, Tidelift. “Tidelift is the only company working proactively with open source maintainers to validate that their packages meet the security standards newly codified by government and industry, and paying them for this important work. This allows organizations to make more informed decisions about open source and reduce related risk, while having assurances that the software they depend on will be there in the future.”

New open source software intelligence capabilities, including API access

Tidelift’s open source package intelligence data is researched and validated by Tidelift and its paid maintainer partners and available via the Tidelift Subscription. Tidelift automates the data collection, curates and structures the data, and provides APIs to easily integrate with existing workflows and business intelligence tools.

Organizations can save time by letting Tidelift do the work to collect open source intelligence data at scale, across millions of open source packages. This helps them reduce the time they spend analyzing individual packages and helps them make better decisions more quickly.

The Tidelift Subscription includes:

  • First-party maintainer-sourced data. Tidelift partners directly with the maintainers of thousands of the most popular open source packages and pays them to validate that they follow secure development practices like those outlined by government and industry, such as the NIST Secure Software Development Framework and the OpenSSF Scorecards project. This provides organizations with unique first-party, maintainer-sourced insights available only via the Tidelift Subscription.
  • Automated, structured, and centralized data. Tidelift aggregates data across multiple upstream package manager ecosystems and source repositories into a centralized and structured format.
  • Tidelift human-researched data. The upstream data is analyzed and further researched by the Tidelift data team with the aim of providing more contextualized insights for our customers.