Tidelift Subscription Enhanced with Sonatype Integration

October 29, 2020

Tidelift has integrated Sonatype's OSS Index data into the Tidelift Subscription to help developers more quickly identify and remediate security vulnerabilities in open source packages and libraries managed by Tidelift.

Over 92% of software applications today contain open source components and, due to the economic downturn resulting from the global pandemic, 42% of organizations are likely to accelerate their use of open source. Known vulnerabilities in a library can increase risk of compromise despite a development team's best efforts and intentions.

This integration enables Tidelift to more rapidly notify its subscribers of cybersecurity issues present in their dependencies and also provides a fast-track process for remediation through Tidelift's vast network of independent maintainers.

Sonatype's OSS Index vulnerability data provides developers with foundational vulnerability information and the ability to better identify and remediate security risks for components managed by Tidelift. OSS Index contains aggregate data from a variety of vulnerability information sources, including:

Common Vulnerabilities and Exposures (CVE) entries;

A growing list of public vulnerability sources;

Community contributions.

"In a recent Tidelift survey, 58% of the respondents cited 'identifying and resolving open source security vulnerabilities' as a key issue," said Matt Rollender, Head of Partnerships, Tidelift. "Giving our customers access to Sonatype's OSS Index vulnerability data through the Tidelift Subscription directly addresses a key pain point for our growing client base."

"Adversaries are increasingly targeting vulnerabilities in open source components," said Matt Howard, EVP, Sonatype. "We're thrilled that Tidelift sees how much value our OSS Index data provides to its customers and is integrating it into the Tidelift Subscription."

Tidelift subscribers have access to customizable catalogs of known-good, proactively maintained JavaScript, Python, Java, PHP, Ruby, and .NET components, among others. The platform integrates with CI/CD pipelines via several mechanisms, offers bill of materials management, and is backed by a growing list of maintainers who are compensated for the work they do to keep packages enterprise-ready.

Terms of Use | Copyright 2002 - 2020 CONSTITUENTWORKS SM  CORPORATION. All rights reserved. | Privacy Statement