The Tidelift approach to securing open source dependencies

Jeremy Katz
by Jeremy Katz
on November 21, 2019

If your team is like most modern application development teams, you are using a core of 70-80% open source components in your application. For good reason—there is usually an open source component already out there to grab for almost every standard task you come across when writing your application’s code.

But new security vulnerabilities related to those open source components emerge every day. Who in your organization is in charge of identifying and addressing those vulnerabilities?

If you find that the care and feeding of your open source dependencies to ensure they stay secure and reliable is taking up too much of your time, you might want to learn more about managed open source and the Tidelift Subscription.

The Tidelift Subscription provides a way for you to offload the work required to keep your open source dependencies secure to the people who know them best—the maintainers who created them.

Take this scenario: recently, someone reported a security vulnerability in a popular Python package privately via the Tidelift Subscription vulnerability reporting system. Because we work directly with the maintainers of that project, they quickly fixed the issue before it was publicly revealed, avoiding an all-too-common and universally dreaded zero-day exploit situation. 

Imagine a world where security issues are reported quietly, maintainers provide a fix immediately, and you never even have to worry about it.

Tidelift co-founder Jeremy Katz explains more about Tidelift’s approach to securing open source dependencies in this video.

The Tidelift approach to securing open source dependencies (2)
New call-to-action