Tidelift Delivers Open Source Vulnerability Data to Subscribers with Sonatype


New Integration Provides Additional Open Source Vulnerability Identification and Remediation Capabilities to Tidelift Customers

BOSTON, Mass. – October 29, 2020 - Tidelift, the largest provider of commercial support and maintenance for the community-led open source behind modern applications, and Sonatype, a leading provider of open source intelligence, today announced that Tidelift has integrated Sonatype’s OSS Index data into the Tidelift Subscription to help developers more quickly identify and remediate security vulnerabilities in open source packages and libraries managed by Tidelift.

Over 92% of software applications today contain open source components and, due to the economic downturn resulting from the global pandemic, 42% of organizations are likely to accelerate their use of open source. Known vulnerabilities in a library can increase risk of compromise despite a development team’s best efforts and intentions. 

This integration enables Tidelift to more rapidly notify its subscribers of cybersecurity issues present in their dependencies and also provides a fast-track process for remediation through Tidelift’s vast network of independent maintainers.

Sonatype’s OSS Index vulnerability data provides developers with foundational vulnerability information and the ability to better identify and remediate security risks for components managed by Tidelift. OSS Index contains aggregate data from a variety of vulnerability information sources, including:

“In a recent Tidelift survey, 58% of the respondents cited ‘identifying and resolving open source security vulnerabilities’ as a key issue,” said Matt Rollender, Head of Partnerships, Tidelift. “Giving our customers access to Sonatype’s OSS Index vulnerability data through the Tidelift Subscription directly addresses a key pain point for our growing client base.”

“Adversaries are increasingly targeting vulnerabilities in open source components,” said Matt Howard, EVP, Sonatype. “We’re thrilled that Tidelift sees how much value our OSS Index data provides to its customers and is integrating it into the Tidelift Subscription.” 

Tidelift subscribers have access to customizable catalogs of known-good, proactively maintained JavaScript, Python, Java, PHP, Ruby, and .NET components, among others. The platform integrates with CI/CD pipelines via several mechanisms, offers bill of materials management, and is backed by a growing list of maintainers who are compensated for the work they do to keep packages enterprise-ready.

About Tidelift

Tidelift is the largest provider of commercial support and maintenance for the community-led open source behind modern applications. The company partners with independent project maintainers to make it safer, easier, and more cost-effective for application development teams to build with open source, so they can create even more incredible software, even faster. The Tidelift managed open source solution delivers customizable catalogs of components that are actively maintained, secure, and accurately licensed, enabling development teams to build and deploy with confidence. Tidelift makes open source work better—for everyone. https://tidelift.com/ 

About Sonatype

Sonatype is the leader in software supply chain automation technology with more than 350 employees, over 1,200 enterprise customers, and is trusted by more than 10 million software developers. Sonatype’s Nexus platform enables DevOps teams and developers to automatically integrate security at every stage of the modern development pipeline by combining in-depth component intelligence with real-time remediation guidance. For more information, please visit Sonatype.com, or connect with us on Facebook, Twitter, or LinkedIn.