Our primary goal at Tidelift is to make open source work better for users and creators alike. How do we plan on doing that? One key way is ensuring the maintainers of the open source projects professional development teams depend on get paid for their work!
We want to make it as simple as possible for maintainers to earn money for their projects using a scaleable, recurring model. Open source maintainers should be rewarded based on the value they create for users, not on the amount of time they spend consulting, or on their ability to successfully collect donations.
To this end, we’ve designed a set of tasks that we’re asking maintainers to complete to be eligible for payments from Tidelift. Many of them are things that maintainers already do.
Individually, a single maintainer doesn’t have much leverage to approach a big potential customer and ask them to pay. But by collectively working together, each maintainer can do their small part to make all of open source better maintained, and potentially grow a large pie of revenue for them and their communities.
So let’s get on with it! Here are the key tasks we ask maintainers we partner with (who we call “lifters”) to complete:
1. Verify missing GitHub repository URL
Through libraries.io, Tidelift tracks millions of different open source dependencies. Sometimes, though, our data isn’t perfect. If that’s the case, we ask lifters to help us track their repositories by providing the correct URL to their GitHub repository so that we have the proper data for each package.
2. License verification
The first task we ask lifters to do is confirm the licensing metadata of their project. Why? We’ve found that 21% of packages have a license error between the source and the package manager. This is a one-time task, and would only ever need to be redone if you relicense your project.
3. Security vulnerabilities
Security vulnerabilities are infrequent for most open source packages, but we help customers immediately know if they are using an affected version of a package. We ask lifters to provide us with a history of any vulnerabilities that they’ve encountered, and to also be responsive to future security issues.
4. Coordinated disclosure
When projects don’t have security contact information posted, they risk having a vulnerability filed as a public GitHub issue, for example. This makes the vulnerability public immediately.
If a project already has a coordinated disclosure policy, all you need to do is point us to the URL for the policy. If the project doesn’t have a policy, you can make one on your own, or use Tidelift to coordinate the fix and disclosure for you.
5. Release streams
Long term support; latest release only; last major and most recent minor; specific vulnerable or broken versions. These are all details that could apply to the version map of a given project, and they can multiply by the thousands in a complex dependency tree. We’re asking lifters to clarify which versions their users should (or shouldn’t!) use, and Tidelift will direct them to those specific releases.
6. Release notes
We provide a unified activity feed of “what’s new in your dependencies,” one that is more than just a firehose of notifications. Lifters are providing release notes for their current and future versions, which Tidelift consolidates and distributes to subscribers. This can be done either in the text box shown below or through our API.
7. Tell your users about Tidelift
The final task we ask of lifters is to inform their users that their projects are now being supported as part of the Tidelift Subscription. Why? First of all, we think that transparency is crucial in open source, but that it’s a necessity when discussing how work on the project is paid for. If you’re earning money for an open source project, we believe the community should know.
Second, users of a project are the most likely to want to support it financially, so we think this is a great way to introduce users to a new way to help the project while getting a valuable service in return. We also offer lifters a $250 bonus when we sign a subscriber who came to us from one of their referral links generated in our app 😃
Here are three examples of how projects we're working with are doing this:
urllib3 mentions Tidelift in their README, describing the Tidelift value proposition in their own words:
Also in their README, Nokogiri touches on what Tidelift does for subscribers, but also what funding from Tidelift enables the Nokogiri team to do to help make the project better:
Material-UI uses a banner on the top-right of their homepage to promote Tidelift:
And that’s it! If you’d like to join the hundreds projects already being maintained as part of the Tidelift Subscription, you can go ahead and complete our onboarding process, or get you can reach out to me directly firstname.lastname@example.org if you have any questions.