Tidelift

This week we released a new Tidelift company video that in 3 minutes articulates the problem Tidelift solves, how we solve it, and what makes us unique. 1️⃣ Problem: Using bad #opensource packages slows teams down and creates risk to organizations' revenue, data, and customers. 2️⃣ How Tidelift helps: Tidelift helps organizations proactively reduce their reliance on bad open source packages. 3️⃣ What makes us unique: We are the only company that partners with the #maintainers of 1000s of the most-relied-upon open source packages and pays them to make their packages healthier and more secure. Watch it for yourself today! 📽 If you want to talk further with us about anything you see in the video, get in touch with us here: https://lnkd.in/gksz64h8

The latest article by IEEE Spectrum explores some of the most pressing issues facing open source software. The common thread: open source maintainers are overwhelmed and need support. The article features the 2024 Tidelift state of the open source maintainer report, citing the top three things that respondents to the survey said they disliked about being an open source maintainer: - Not being financially compensated enough or at all for their work - Feeling underappreciated or “like the work is thankless” - Adding to their personal stress Author Rina Diane Caballar discusses the recent WordPress lawsuit, what maintainers have to say, and possible solutions to this crisis. Read more on IEEE Spectrum 👉 https://lnkd.in/giHn79Wg

Are you familiar with security challenges surrounding open source software? 🤔 In a new interview with Michael Vizard at Techstrong TV, Tidelift CEO and co-founder Donald Fischer, and Sonatype CTO and co-founder Brian Fox explore the impact paying maintainers can have on making the software supply chain more secure. They share evidence from new Tidelift and Sonatype surveys that shows when maintainers are paid, they invest more in keeping their projects secure and reliable. Early this year, the Harvard Business School set out to approximate the value of open source and found that its value sits at about 8.8 trillion dollars (yes, trillion 😵💫). By comparison, the entire U.S. electrical grid is valued at 1.5- 2 trillion dollars, and the U.S. interstate highway system is valued at 750 billion dollars. It’s more than safe to say that open source is vital infrastructure in our modern society. But unlike the electrical grid and the interstate highway system, open source isn’t publicly funded. Yet, we expect open source maintainers to keep their open source projects secure, maintained, and up to industry and government standards. (At this year’s Upstream, Tidelift co-founder and General Counsel Luis Villa sat down with Frank Nagle, one of the authors of this Harvard Business School study, to discuss how the numbers came to be and what this finding means for open source maintainers and software supply chain security. You can find the link in the comments below.) In this year’s Tidelift state of the open source maintainer report, we found: - Bad news, 60% of open source maintainers report being unpaid for their work  - Good news, those who are paid spend more time on their projects and are almost twice as likely to be able to prioritize remediating security vulnerabilities A direct quote from Brian, “Why can’t we peel off a fraction of a percent of that [the 8.8 trillion value] to help support those very people? When that happens, these things will get solved. Until then, it’s an uphill battle.” And from Donald, “The number one pain point that maintainers are reporting when we ask them this question [What do you dislike about being an open source maintainer?], is that a lot of folks are making a ton of money using their open source projects and assuming that they’re going to do all of this work to bring it to the enterprise grade, and they’re not getting paid for any of it. And that’s a really straightforward issue for us to solve.” To hear more about open source supply chain challenges along with findings from the 2024 Tidelift state of the open source maintainer report and from Sonatype's State of the Software Supply Chain report, you can watch the whole interview here 👉 https://lnkd.in/gK8BCw5z

Now playing 📺 : learn how your organization can use open source packages with confidence with help from Tidelift and our maintainer partners. 🤝 Tidelift partners with the maintainers of thousands of the most relied upon open source packages, and pays them 💰 to implement industry leading secure software development practices and document the practices they follow. With Tidelift's package intelligence, application developers can proactively evaluate whether their open source package choices are secure and well maintained. 💪 🔒 Learn more in the video below 🍿 ↘️

In the latest #OSSPodcast episode, Tidelift's Donald Fischer and Brian Fox from Sonatype join hosts Josh Bressers and Kurt Seifried to discuss the current state of open source and what the future holds, accompanied by findings from both the 2024 Tidelift state of the open source maintainer report and Sonatype's State of the Software Supply Chain report. Listen now 📻 https://lnkd.in/gKEvi4jt

Last week, Tidelift co-founder and General Counsel Luis Villa joined an illuminating panel at TechCrunch Disrupt 2024 on "Free but Not Cheap: the Open Source Dilemma." Here are some key takeaways: - The current model for securing open source is insufficient and needs fixing ⚒️ - Volunteer maintainers shouldn't bear the security burden alone - compensation is key 💰 - Organizations using open source in commercial products will be expected to step up 👏 - Government involvement is increasing, with new regulations on the horizon 🏛️ As Luis pointed out, "The median number of people who work on an open source project that your company consumes is one." 💡 This reality underscores the need for a new approach. Bogomil Balkansky at Sequoia Capital highlighted the shift of liability from consumer to producer, “Through regulation and market expectations I think the integrators of open source now have a powerful incentive to secure their consumption or their integration of open source because at the end of the day they’ll be the ones responsible for the holistic security of their products.” 🤝 The future of open source security lies in taking an active role in the future of your supply chain. As Aeva Black from Cybersecurity and Infrastructure Security Agency (CISA) noted, "Staying involved is how you maintain your product in the long term." Read our full highlights on the Tidelift blog: https://lnkd.in/gHfjq5nX

Yesterday Tidelift’s Luis Villa participated in a TechCrunch Disrupt panel entitled “Free but Not Cheap: the Open Source Dilemma” alongside Aeva Black from Cybersecurity and Infrastructure Security Agency and Bogomil Balkansky from Sequoia Capital, and moderated by Lorenzo Franceschi-Bicchierai from TechCrunch. A few key themes from the discussion: ⛔ The current model for ensuring the independently maintained open source projects most organizations rely on are secure is not sufficient and needs to be fixed. 💰 Volunteer open source maintainers shouldn’t be expected to shoulder the burden of keeping projects secure without being compensated for the work. 💸 End consumers also should not pay the price for the consequences of insecure products. 🏛️ Governments are getting involved, and leading efforts to raise the security standard for open source. 🏢 Those organizations incorporating open source into their commercial products (open source integrators) WILL be expected to shoulder this security burden. 👀 They should start paying attention because regulation to force the issue is on the way. 🇪🇺🇺🇸 In the EU it is here already (through the recently passed Cyber Resilience Act and the Product Liability Directive) and the US likely won’t be far behind. 💵 Money quotes, emphasis ours: Luis VIlla, Tidelift: “One of the tensions in the current moment is that on the one hand, it’s great that we are getting government attention because this has been rightly pointed out that it is now a national security concern. The good news is that open source has been so successful that we have White House conferences about it. The bad news is that we have White House conferences for some very scary reasons and 👉 that kind of attention is going to bring pressure on open source that I don’t think our communities and certainly not our solo maintainers will handle just for the fun of it. 👈” Aeva Black, CISA 👉 ”If you don’t know what’s in the box, you can’t secure it, so it is your responsibility as builders to know what’s in the box. 👈 We need better tools, we need better engagement to enable everybody to do that with less effort and less burden on individual volunteer maintainers and non-profits.” Bogomil Balkansky, Sequoia Capital: "Through regulation and market expectations I think the integrators of open source now have a powerful incentive to secure their consumption or their integration of open source because at the end of the day they’ll be the ones responsible for the holistic security of their products. These integrators face a relatively simple economic dilemma. 👉 Either spend the money and resources to fix vulnerabilities in whatever open source I am consuming or I channel money, resources, and or time to help the upstream maintainers of open source to do it for me. 👈" Check out the panel here: https://lnkd.in/gK-FxSV9 #TechCrunchDisrupt2024

At this year’s All Day DevOps, Tidelift CEO and co-founder Donald Fischer Fischer and Brian Fox, CTO and co-founder at Sonatype took to the virtual stage to discuss the threat created by ignoring the needs of overworked and underpaid maintainers against the backdrop of the rapidly-scaling open source ecosystem and increased attacks on the software supply chain. The bottom line: paying open source maintainers improves security outcomes for any organization using open source. 👏💰 Donald and Brian shared data from Tidelift’s state of the open source maintainer report and Sonatype’s state of the software supply chain report. A few highlights: - Projects with paid support are 3x more likely to have a comprehensive security policy - Components with paid support resolve outstanding vulnerabilities up to 45% faster and have half the vulnerabilities overall - Paid maintainers implement 55% more critical security and maintenance practices than unpaid maintainers That’s the good news. The bad news is that 60% of maintainers are not paid for their work, which means they don’t have the time and motivation to do this important work to make your organization’s applications more secure. Want to learn more about how you can ensure the security of your organization’s open source software supply chain with the help of open source maintainers? Watch the clip below 👇

Spotlight on jackson-databind 💡 🎬 In this new video, we’re excited to highlight the story of how, with income from Tidelift and our customers, jackson-databind maintainer, Tatu Saloranta, was able to implement secure software development practices and make a commitment to keep the project updated over time. 🤔 What is jackson-databind? jackson-databind is a heavily relied upon package in the Java ecosystem. It’s downloaded almost 3 million times per month, and is a dependency for almost 19,000 other open source packages. 📚 What’s the story? Unfortunately, jackson-databind had been impacted by a large number of remote code execution vulnerabilities, leading to increased security risks. 😣 To lower this risk, many organizations had considered investing time and resources into re-architecting their applications to eliminate jackson-databind altogether. Tatu used income from Tidelift to re-architect the project completely, effectively eliminating the remote code execution vulnerabilities. Even more, because Tatu was paid for this work, Tidelift customers using jackson-databind no longer face risk from remote code execution vulnerabilities, and they didn't have to re-architect their applications. 🎉 https://lnkd.in/gwkbhVe8

Have you been keeping up to date with the latest government actions related to open source? 📜 Tidelift co-founder and General Counsel Luis Villa rounds up the most newsworthy changes in the US and EU in his latest post on the Tidelift blog. 🏛️ The Cybersecurity and Infrastructure Security Agency (CISA)'s product security "bad practices"  The text includes recommendations against: - Using memory-unsafe languages - Shipping open source with known CVEs 🏛️ The EU’s Product Liability Directive (PLD) This new PLD (the last update was in 1984) includes the following language that organizations using open source should read carefully (emphasis ours): “Where free and open-source software supplied outside the course of a commercial activity is subsequently integrated by a manufacturer as a component into a product… 👉 it should be possible to hold that [integrating] manufacturer liable for damage caused by the defectiveness of such software but not the manufacturer of the [original open source] software 👈 because they would not have fulfilled the conditions of placing a product or component on the market.” 🏛️ The EU’s Cyber Resilience Act (CRA) The CRA establishes affirmative obligations towards product security for software products sold in the EU.  This will require software developers and companies to comply with a variety of different checklists of security measures, including the use of SBOMs to track components of software systems. Read the full breakdown and learn how you can be prepared 🧰 🛠️ https://lnkd.in/ghZreS54