Tidelift

This week we released a new Tidelift company video that in 3 minutes articulates the problem Tidelift solves, how we solve it, and what makes us unique. 1️⃣ Problem: Using bad #opensource packages slows teams down and creates risk to organizations' revenue, data, and customers. 2️⃣ How Tidelift helps: Tidelift helps organizations proactively reduce their reliance on bad open source packages. 3️⃣ What makes us unique: We are the only company that partners with the #maintainers of 1000s of the most-relied-upon open source packages and pays them to make their packages healthier and more secure. Watch it for yourself today! 📽 If you want to talk further with us about anything you see in the video, get in touch with us here: https://lnkd.in/gksz64h8

Upstream LIVE 🚨 and in person in Boston! For the first time ever, we’re taking Upstream live and we’re inviting people in the Boston area to come join the conversation! For this first event, Tidelift CEO and co-founder Donald Fischer is hosting a roundtable discussion centered around “rethinking vulnerability management.” Why do we need to rethink vulnerability management? The reality is that development teams are overwhelmed triaging long lists of #vulnerabilities, with little context on which are the most important to patch to actually reduce risk. And open source maintainers are swamped with vulnerability reports to investigate, many of which end up being false positives. 😖 We’ve managed to create an endless game of security whack-a-mole and, worst of all, it may not be delivering the real outcome we desire: actual risk reduction. 🔨 🔁 This session is for you if your organization is: - Developing applications using open source languages like Python, Java, JavaScript, Ruby, Rust, and Go - Concerned about security risks or software supply chain attacks impacting #opensource - Exploring more impactful ways to reduce risk beyond the traditional #vulnerability detection and remediation approach many organizations use today Other amazing guests joining the roundtable discussion: - John Mark Walker, Director of the OSPO at Fannie Mae - Jordan Harband, mega-maintainer of 500+ JavaScript projects - And you? 🫵 Let’s work together to come up with a better solution. 👊 Join us on Wednesday, Sept. 18 from 4 p.m. to 6 p.m. ET. at CIC at 245 Main St, Cambridge, MA 02142, United States. RSVP now, spots are limited! ▶️ https://lnkd.in/gjrZSw4y See you there! 👋

🔒 Upstream 2024 recap: Escaping the CVE dungeon 🔒 What happens when CVEs are submitted to GitHub Issues? 🧐 During Upstream 2024, James Berthoty, tackled this frustrating process in his talk, "How can we get CVEs out of GitHub Issues?" James shed light on the challenge that both security professionals and maintainers face when vulnerability scanners flag #CVEs. These are often reported to maintainers without proper validation, overwhelming them with unverified #vulnerabilities. As James pointed out, "The goal here is to find our way out of the CVE dungeon in which we have unfortunately locked ourselves in." He highlighted the importance of clearer maintainer security policies and called for vulnerability scanners to focus on upstream direct dependencies rather than the endless transitive ones that cause unnecessary noise. 🎯 This talk is a must watch for anyone navigating the complexities of #opensource security. Watch the full talk here 👉 https://lnkd.in/ghqxEzqc

Tidelift co-founder and general counsel Luis Villa shares his HOWTO guide for paying open source maintainers with All Things Open Conference on We ❤️Open Source. 💰 Paying maintainers isn't just about compensation—it's about valuing the unseen, often underappreciated work that keeps open source projects secure and thriving. Maintainers play a critical role in ensuring the security and longevity of #opensource projects. Yet, the importance of compensating them fairly is often overlooked. This HOWTO outlines not only why paying them is vital but also how to do it effectively, ensuring that open source projects continue to benefit from the expertise and dedication of their #maintainers. Check out the full story on We ❤️Open Source 🗞️https://lnkd.in/g4FTVvCi For those interested in diving deeper into this topic, Lauren Hanford, VP of Product at Tidelift, will be speaking at All Things Open about the security work maintainers do behind the scenes. Her talk, "The Unseen, Underappreciated Security Work Your Maintainers May (or may not) Already Be Doing," will be Monday, October 28th, from 2:15 PM to 2:30 PM ET. We can guarantee you won’t want to miss this!  More information on the 2024 All Things Open conference can be found here 👉 https://lnkd.in/gkwDKc7R

At Tidelift we love 🧡 sharing stories on how amazing things can happen when open source maintainers are paid to complete the work required to implement secure development practices for their projects. Today we're featuring Mongoose, a Node.js library used in over 4 million GitHub repositories and downloaded 2 million times a week on npm! 💥 📈 With funding from Tidelift and its customers, open source maintainer Val Karpov was able to raise the project’s OpenSSF scorecard score from 7 to 8 out of 10 🎉 —far surpassing the average score of 3.3. By implementing secure development practices, like preventing force pushes to the master branch and increasing the percentage of independent code reviews from 10-20% to 70-80%, Mongoose is now better equipped to handle vulnerabilities and maintain its critical role in the open source landscape. This partnership showcases the power of bridging the gap between maintainers and security initiatives, ensuring that popular #opensource projects remain secure and resilient. 🔒💪 In Val's own words: "I know all these open source standards communities and organizations are trying their best to do a good job. But I’m a software engineer. I got into working on Mongoose because I like to code, and sometimes keeping up on what some organization somewhere is doing is not something that I have the time or interest in. Tidelift helped me out with that. Bridging that gap [between maintainers and organizations] is as important as making sure that the standards are not too onerous, but also effective and sensible." To hear from Val and other maintainers, you can read this case story and more by following the link in the comments 🔗 👇 #Cybersecurity #NodeJS #SecureByDesign #OpenSSF

David Dzergoski, Problem Solver at Tidelift gives valuable insight on building adaptable DevSecOps environments. David emphasizes the importance of understanding existing processes and tools while maintaining a clear mission objective. Key takeaways include the need for comprehensive toolsets, avoiding vendor lock, and ensuring effective communication across all organizational levels. By fostering a workgroup mentality and embracing small, iterative failures, agencies can improve efficiency, reduce cyber risk, and stay agile. This approach is essential for evolving missions and achieving success in federal software development. 🔍Learn more: https://lnkd.in/ehb-cWnY Presented by Tidelift & Carahsoft #FedGovToday #DevSecOps #Agile #Cybersecurity #GovernmentTech #SoftwareDevelopment

What do open source maintainers think about #AI? 🤔 Take a sneak peak into the 2024 Tidelift state of the open source maintainer report with selected snippets, as presented by Tidelift CEO and co-founder Donald Fischer 👇

From dorm room Linux installations to safeguarding global open source infrastructure! Join Open at Intel host Katherine Druckman and Tidelift Co-Founder Luis Villa as they discuss the high-stakes world of open source governance and maintainer burnout. Give it a listen: https://intel.ly/3YMO0XS

“If we take away open source tomorrow, it’s very safe to say our infrastructure would collapse.” Tidelift co-founder and general counsel, Luis Villa, lays out why open source is critical infrastructure on the Open.Intel podcast with host Katherine Druckman. From open source beginnings, community as the core of open source, and the always spicy topic of #AI, the two stress the importance of recognizing the important role open source plays in our society. On #opensource as critical structure, Luis continues: “We’ve been talking about infrastructure as an analogy since ‘Roads and Bridges.’ [...] Open source has been taken for granted. [Open source software components] are going to be with us for dozens, hundreds of years—embedded in our systems. We need to be thinking about how we are building systems that are generationally robust. And ‘just finding the next maintainer’ is not the solution. It’s a stop gap.” Much like all other types of infrastructure, open source requires support. Katherine highlights the need to back open source #maintainers, especially by those who profit off of their work: “If the people who are ultimately profiting off from these things do not support the creation and maintenance of them, it falls apart. You can say that at any level, down to a single maintainer to a giant foundation. I think a big part of this conversation, about solving our critical problems in our community, is cross pollination—getting people to talk to each other. So many people are working on different solutions for similar problems. That was the entire spirit of open source, getting together and collaboratively solving the problem.”  There’s so much more covered in this episode that you won’t want to miss! Listen to the episode on your app of choice, or check it out here 🎙️👉 https://lnkd.in/gJuYW9G5