When you partner with Tidelift as a maintainer, you’ll be working with us to ensure your projects meet important, maintainer-validated industry standards. A lifter is a Tidelift maintainer partner—learn more about being a lifter here. Lifter tasks are actions you can take, presented in an efficient management dashboard, to keep your projects at a level of maturity that enterprise customers expect.
Here is the most current set of tasks applicable to lifters, and are subject to change over time to reflect the needs of the open source ecosystem:
Confirm that this additional layer of security is enabled on your GitHub account, if there is one on record
Confirm that this additional layer of security is enabled for the package manager level where new versions are distributed
Set source repository URL
Provide the correct link to the repository for this package
Confirm that you have reviewed and confirmed that only authorized the right people have access to manage releases for your package(s)
Provide detailed, conditional feedback on the vulnerabilities found in your package(s) so subscribers have the most accurate source of truth for the vulnerability
Set the versioning scheme the package uses to better understand which releases may have breaking changes
Clearly document that license type that has been assigned for your package(s)
Confirm there is a process in place for handling vulnerabilities found in your package(s)
Confirm which versions you are willing to provide security updates for and if you will offer subscribers any additional level of updates beyond what you offer all users
At Tidelift, our mission is to make open source work better—for everyone. We want to help improve the health and resilience of open source by working with you to implement security and maintenance standards that have been verified as valuable by your fellow open source maintainers.
We want to minimize the occurrence of open source supply chain attacks by improving the health and resilience of your open source package by asking you to implement standards that have been verified by your fellow open source maintainers. Open source packages such as urllib3, jackson-core, and byte-buddy have already seen marked improvements in their health scores as measured by the OpenSSF Scorecards after implementing these standards.
With our dashboard, you can lift and see all of your packages, and the tasks required to keep them healthy and secure.