This week we released a new Tidelift company video that in 3 minutes articulates the problem Tidelift solves, how we solve it, and what makes us unique. 1?? Problem: Using bad #opensource packages slows teams down and creates risk to organizations' revenue, data, and customers. 2?? How Tidelift helps: Tidelift helps organizations proactively reduce their reliance on bad open source packages. 3?? What makes us unique: We are the only company that partners with the #maintainers of 1000s of the most-relied-upon open source packages and pays them to make their packages healthier and more secure. Watch it for yourself today! ?? If you want to talk further with us about anything you see in the video, get in touch with us here: https://lnkd.in/gksz64h8
Tidelift
软件开发
Boston,MA 3,395 位关注者
Tidelift helps organizations effectively manage the open source behind modern applications.
关于我们
Tidelift helps organizations effectively manage the open source behind modern applications. Through the Tidelift Subscription, the company delivers a comprehensive management solution, including the tools to create customizable catalogs of known-good, proactively maintained components backed by Tidelift and its open source maintainer partners. Tidelift enables organizations to accelerate development and reduce risk when building applications with open source, so they can create even more incredible software, even faster.
- 网站
-
https://tidelift.com
Tidelift的外部链接
- 所属行业
- 软件开发
- 规模
- 11-50 人
- 总部
- Boston,MA
- 类型
- 私人持股
- 创立
- 2017
- 领域
- open source、open source software、open source software security、open source software management和software supply chain security
地点
-
主要
50 Milk St, 16th Floor
US,MA,Boston,02109
Tidelift员工
动态
-
This year’s Tidelift maintainer impact report is now available! ?? We release a new maintainer impact report annually to shine a light on the most current and compelling evidence of the positive impact that organizations can expect to achieve—outcomes that reduce organizational risk and improve operational efficiency—when they invest directly in their open source software supply chain by paying maintainers. ???? For this year’s report, we wanted to connect secure upstream open source software with meaningful customer outcomes. To do this, we are featuring a case story of how one Tidelift customer improved the security and resilience of an important Python application used to analyze and forecast commercial pricing in a competitive, highly regulated industry. We wanted to see how they were able to improve the application’s security and resilience over a two-year period with help from Tidelift and our open source maintainer partners. Bottom line results: This customer is able to set accurate pricing, drive profitability, and improve their margins because their developers have been able to reduce the organization’s reliance on abandoned, end-of-life, or otherwise insecure open source packages that are costing them time and money. Specifically, they: ?? Saved $1.1 million of organizational time across engineering, legal, and security that would have been spent on requirements research and engineering implementation time ?? Reduced application risk by turning 37% of this customer’s independently maintained packages from an “unknown future” to reliably secured and maintained, with a plan in place to grow that percentage to 58% in 2025 and 80% in 2026 Links to the maintainer impact report and the blog post announcing it in the comments! ??
-
Introducing urllib3 ?? urllib3 is a critical package in the Python ecosystem, with over 450 million downloads each month. Its security is vital, as it handles web requests and certificate validation.? ?? ?? Thanks to Tidelift and its paying customers, maintainers Seth Michael Larson, Illia Volochii, Andrey Petrov, and Quentin Pradet have been able to improve security practices, including adding two-factor authentication and automating release processes. Their efforts led to urllib3 achieving an impressive 9.6/10 score on the OpenSSF Scorecard. ?? ?? Check out the video below to learn more! ??
-
The latest article by?IEEE Spectrum?explores some of the most pressing issues facing open source software. The common thread: open source maintainers are overwhelmed and need support. The article features the 2024 Tidelift state of the open source maintainer report, citing the top three things that respondents to the survey said they disliked about being an open source maintainer: - Not being financially compensated enough or at all for their work - Feeling underappreciated or “like the work is thankless” - Adding to their personal stress Author Rina Diane Caballar discusses the recent WordPress lawsuit, what maintainers have to say, and possible solutions to this crisis. Read more on IEEE Spectrum ?? https://lnkd.in/giHn79Wg
-
Are you familiar with security challenges surrounding open source software? ?? In a new interview with Michael Vizard at Techstrong TV, Tidelift CEO and co-founder Donald Fischer, and Sonatype CTO and co-founder Brian Fox explore the impact paying maintainers can have on making the software supply chain more secure. They share evidence from new Tidelift and Sonatype surveys that shows when maintainers are paid, they invest more in keeping their projects secure and reliable. Early this year, the Harvard Business School set out to approximate the value of open source and found that its value sits at about 8.8 trillion dollars (yes, trillion ????). By comparison, the entire U.S. electrical grid is valued at 1.5- 2 trillion dollars, and the U.S. interstate highway system is valued at 750 billion dollars. It’s more than safe to say that open source is vital infrastructure in our modern society. But unlike the electrical grid and the interstate highway system, open source isn’t publicly funded. Yet, we expect open source maintainers to keep their open source projects secure, maintained, and up to industry and government standards. (At this year’s Upstream, Tidelift co-founder and General Counsel Luis Villa sat down with Frank Nagle, one of the authors of this Harvard Business School study, to discuss how the numbers came to be and what this finding means for open source maintainers and software supply chain security. You can find the link in the comments below.) In this year’s Tidelift state of the open source maintainer report, we found: - Bad news, 60% of open source maintainers report being unpaid for their work? - Good news, those who are paid spend more time on their projects and are almost twice as likely to be able to prioritize remediating security vulnerabilities A direct quote from Brian, “Why can’t we peel off a fraction of a percent of that [the 8.8 trillion value] to help support those very people? When that happens, these things will get solved. Until then, it’s an uphill battle.” And from Donald, “The number one pain point that maintainers are reporting when we ask them this question [What do you dislike about being an open source maintainer?], is that a lot of folks are making a ton of money using their open source projects and assuming that they’re going to do all of this work to bring it to the enterprise grade, and they’re not getting paid for any of it. And that’s a really straightforward issue for us to solve.” To hear more about open source supply chain challenges along with findings from the 2024 Tidelift state of the open source maintainer report and from Sonatype's State of the Software Supply Chain report, you can watch the whole interview here ?? https://lnkd.in/gK8BCw5z
-
Now playing ?? : learn how your organization can use open source packages with confidence with help from Tidelift and our maintainer partners. ?? Tidelift partners with the maintainers of thousands of the most relied upon open source packages, and pays them ?? to implement industry leading secure software development practices and document the practices they follow. With Tidelift's package intelligence, application developers can proactively evaluate whether their open source package choices are secure and well maintained. ?? ?? Learn more in the video below ?? ↘?
-
In the latest #OSSPodcast episode, Tidelift's Donald Fischer and Brian Fox from Sonatype join hosts Josh Bressers and Kurt Seifried to discuss the current state of open source and what the future holds, accompanied by findings from both the 2024 Tidelift state of the open source maintainer report and Sonatype's State of the Software Supply Chain report. Listen now ?? https://lnkd.in/gKEvi4jt
-
Last week, Tidelift co-founder and General Counsel Luis Villa joined an illuminating panel at TechCrunch Disrupt 2024 on "Free but Not Cheap: the Open Source Dilemma." Here are some key takeaways: - The current model for securing open source is insufficient and needs fixing ?? - Volunteer maintainers shouldn't bear the security burden alone - compensation is key ?? - Organizations using open source in commercial products will be expected to step up ?? - Government involvement is increasing, with new regulations on the horizon ??? As Luis pointed out, "The median number of people who work on an open source project that your company consumes is one." ?? This reality underscores the need for a new approach. Bogomil Balkansky at Sequoia Capital highlighted the shift of liability from consumer to producer, “Through regulation and market expectations I think the integrators of open source now have a powerful incentive to secure their consumption or their integration of open source because at the end of the day they’ll be the ones responsible for the holistic security of their products.” ?? The future of open source security lies in taking an active role in the future of your supply chain. As Aeva Black from Cybersecurity and Infrastructure Security Agency (CISA) noted, "Staying involved is how you maintain your product in the long term." Read our full highlights on the Tidelift blog: https://lnkd.in/gHfjq5nX
-
Yesterday Tidelift’s Luis Villa participated in a TechCrunch Disrupt panel entitled “Free but Not Cheap: the Open Source Dilemma” alongside Aeva Black from Cybersecurity and Infrastructure Security Agency and Bogomil Balkansky from Sequoia Capital, and moderated by Lorenzo Franceschi-Bicchierai from TechCrunch. A few key themes from the discussion: ? The current model for ensuring the independently maintained open source projects most organizations rely on are secure is not sufficient and needs to be fixed. ?? Volunteer open source maintainers shouldn’t be expected to shoulder the burden of keeping projects secure without being compensated for the work. ?? End consumers also should not pay the price for the consequences of insecure products. ??? Governments are getting involved, and leading efforts to raise the security standard for open source. ?? Those organizations incorporating open source into their commercial products (open source integrators) WILL be expected to shoulder this security burden. ?? They should start paying attention because regulation to force the issue is on the way. ???????? In the EU it is here already (through the recently passed Cyber Resilience Act and the Product Liability Directive) and the US likely won’t be far behind. ?? Money quotes, emphasis ours: Luis VIlla, Tidelift: “One of the tensions in the current moment is that on the one hand, it’s great that we are getting government attention because this has been rightly pointed out that it is now a national security concern. The good news is that open source has been so successful that we have White House conferences about it. The bad news is that we have White House conferences for some very scary reasons and ?? that kind of attention is going to bring pressure on open source that I don’t think our communities and certainly not our solo maintainers will handle just for the fun of it. ??” Aeva Black, CISA ?? ”If you don’t know what’s in the box, you can’t secure it, so it is your responsibility as builders to know what’s in the box. ?? We need better tools, we need better engagement to enable everybody to do that with less effort and less burden on individual volunteer maintainers and non-profits.” Bogomil Balkansky, Sequoia Capital: "Through regulation and market expectations I think the integrators of open source now have a powerful incentive to secure their consumption or their integration of open source because at the end of the day they’ll be the ones responsible for the holistic security of their products. These integrators face a relatively simple economic dilemma. ?? Either spend the money and resources to fix vulnerabilities in whatever open source I am consuming or I channel money, resources, and or time to help the upstream maintainers of open source to do it for me. ??" Check out the panel here: https://lnkd.in/gK-FxSV9 #TechCrunchDisrupt2024
-
At this year’s All Day DevOps, Tidelift CEO and co-founder Donald Fischer Fischer and Brian Fox, CTO and co-founder at Sonatype took to the virtual stage to discuss the threat created by ignoring the needs of overworked and underpaid maintainers against the backdrop of the rapidly-scaling open source ecosystem and increased attacks on the software supply chain. The bottom line: paying open source maintainers improves security outcomes for any organization using open source. ???? Donald and Brian shared data from Tidelift’s state of the open source maintainer report and Sonatype’s state of the software supply chain report. A few highlights: - Projects with paid support are 3x more likely to have a comprehensive security policy - Components with paid support resolve outstanding vulnerabilities up to 45% faster and have half the vulnerabilities overall - Paid maintainers implement 55% more critical security and maintenance practices than unpaid maintainers That’s the good news. The bad news is that 60% of maintainers are not paid for their work, which means they don’t have the time and motivation to do this important work to make your organization’s applications more secure. Want to learn more about how you can ensure the security of your organization’s open source software supply chain with the help of open source maintainers? Watch the clip below ??