What is managed open source?

The Tidelift Subscription provides a comprehensive managed open source solution for your development team – backed by maintainers.

Tidelift partners directly with the maintainers of thousands of open source components to manage them for you, satisfying the basic criteria you’d require for any commercial-grade software:

  • Security: Verified updates for zero-day vulnerabilities, coordinated security response, and immediate notifications of which of your applications are impacted, with the fix prepared for you. Like your phone, just “apply updates” to stay secure.
  • Licensing: Verified-accurate open source licenses (including IP indemnification) and customizable policy enforcement. Your up-to-date software “bill of materials” is always one click away.
  • Maintenance: Tidelift continuously guides you on your upgrade path, steering you towards the best packages and versions for your particular application. It’s like a GPS for open source software.


A core element of the Tidelift solution is the concept of the catalog, which is a collection of approved packages that meet standards such as:

  1. Have clear and accurate licensing information
  2. Receive proactive security updates on an on-going basis
  3. Are actively managed by the open-source community.
  4. Any standards your organization defines.

Developers will always know what’s approved for use and can proactively check if their projects are aligned with their catalog using the Tidelift web app or Tidelift CLI.

Learn about how to get started with catalogs.

CI/CD pipeline integration

With a catalog in place, customers can choose from several mechanisms to keep their software projects aligned with the approved releases in the catalog:

  • The Tidelift CLI allows individual developers to check alignment at their desks, and request additions to the catalog;
  • A check in your CI/CD pipeline can verify catalog alignment;
  • Artifact managers such as JFrog Artifactory can be integrated with Tidelift to block not-in-catalog releases from your artifact repository, if desired.

Screen Shot 2020-07-08 at 3.28.10 PM

Bill of materials management

The Tidelift Subscription also provides bill of materials management, so you always know what package releases are used where. If you are made aware of a zero-day exploit in the wild, you can determine if it’s: 

  1. impacted your customer-facing app that contains personally identifiable customer information or...
  2. a dependency used in a self-contained back-office app that touches neither critical data nor processes

Screen Shot 2020-07-02 at 3.31.31 PM-1

Backed by maintainers

Tidelift works directly with the maintainers of the packages, compensating them for the work they do to keep packages enterprise-ready.