Tidelift CEO and co-founder Donald Fischer was recently interviewed for an episode of EnterpriseReady, a podcast that focuses on how to build software for enterprises through discussions with industry experts and enterprise software founders.
Grant Miller, creator of EnterpriseReady and co-founder and CEO of Replicated, sat down with Donald to discuss the lessons Donald has learned from his career in technology, open source, and venture capital, as well as to discuss the importance of supporting open source creators at scale. You can listen to the full interview here.
The beginnings of Tidelift
In the first part of the podcast, Grant quizzed Donald on some of his background, including his introduction to open source, his time at Red Hat, and his experience working in venture capital.
As a venture capitalist, Donald’s focus was on open source companies. As he analyzed potential investments, one trend became clear: there is a whole class of open source projects that are used widely by almost every large organization but were not by themselves comprehensive enough to form the basis for a standalone open source company.
“It clearly doesn’t make sense to start a Series A-backed VC company around every string-parsing library,” said Donald. “It’s like a paradox. We depend on this stuff and it needs to work. We started theorizing that really bad things could happen to users of these packages if they weren’t validated or supported to meet certain standards.”
Donald started talking about this potential problem with a few friends that he met over the years through open source, specifically Havoc Pennington, Jeremy Katz, and Luis Villa, now his co-founders at Tidelift. They discussed ways to potentially resolve this paradox while also figuring out how to ensure the open source maintainers who have thousands of global companies relying on their projects get paid for their work.
“There’s this diffused network of individuals who are creating this really valuable set of capabilities, in this case open source projects,” Donald said. “They are causing the software to exist to some degree, and maybe they’re not doing all of the boring enterprise release engineering work that big companies who use that software would want them to, so can we give them a reason to do it?”
Applying universal standards to open source—and paying the maintainers for it
In response to these questions, the Tidelift business model was born—working with the open source maintainers on a fractional basis, agreeing on some universal enterprise standards that the software packages should meet and paying the maintainers to meet those standards.
“It gives them a reason and motivation to bring their packages up to a standard,” said Donald. “It also recognizes and demonstrates appreciation for these folks for creating this thing in the first place and sticking with it.”
The Log4Shell vulnerability really demonstrated the point that companies, government, and society rely heavily on these open source packages which opens them up to vulnerabilities if the packages are not properly maintained. This could lead to a loss of time, energy, and money for organizations that have to deal with the ramifications of remediating them.
Tidelift’s approach: make open source work better—for everyone
“At Tidelift, one of the things we do is create these direct economic and business process relationships with the original open source creators or the current maintainers,” said Donald. “We also give them tools and a standard set of processes to follow to ensure that the software meets objective, hygiene-level standards.”
The Tidelift model was inspired by how many other companies have formed around open source projects. These companies’ success is typically based on understanding what large enterprises care about, and then doing the extra, often labor-intensive, work to ensure the projects meet the standards around security and maintenance that enterprises need to attain. With Tidelift, however, the twist is that this work is not done solely by a group of employees on a corporate campus anymore—instead, it’s done by the open source creators themselves.
After all, how much easier would it be to develop applications if there was a centralized place developers could go to get software building blocks that already meet the enterprise standards the organization requires?
“[Tidelift provides] a set of tools just like that, that any organization can buy as a service to get their repository of vetted open source components that they know meet these standards,” said Donald. “And the reason we know they meet these standards is we went and got the open source creators and maintainers into the loop to help us figure it out.”
That’s how Tidelift provides value to both maintainers and enterprises: organizations receive tools and processes to manage their open source components, and maintainers get paid for the work they do supporting these tools and processes around security and licensing.
The importance of managing open source in light of new laws
This model can be extremely helpful to big organizations with lots of application developers in regulated industries, such as financial services, healthcare, life sciences, and government. Over the past year, the U.S. federal government has added even more emphasis around software security since the introduction of the White House executive order on cybersecurity in May 2021. In its wake, a number of federal agencies have enacted standards and policies that impact organizing using open source software to build applications.
For example, there is now a requirement for organizations that do business with the federal government to supply a software bill of materials (SBOM) showing the open source “ingredients” in their products, and also to make affirmative assurances around the security and provenance of those components. Those are challenges organizations need help addressing.
“That’s a really interesting opportunity for Tidelift and our partnered open source maintainers to come together with organizations that need to answer these questions and meet these standards—and to get it done together in a way that benefits everybody,” said Donald.
Thank you, EnterpriseReady, for inviting Donald to chat about Tidelift’s story. Again, you can listen to the full interview here.