Sometimes Dragons

New Client Profile: Tidelift

Share via Twitter Share via Facebook Share via Linkedin Share via Reddit


About Tidelift

Tidelift was founded by Donald Fischer, Jeremy Katz, Havoc Pennington, and Luis Villa in 2017 to take on the industry-wide challenge of how to systematically maintain open source software. Together the founders boast an interesting mix of experiences with tech companies and open source projects, with Fischer, Katz, and Pennington each having logged multiple years at Red Hat.

Tidelift is headquartered in Boston, MA; however, the majority of the team is distributed.

With a name that invokes the saying “a rising tide lifts all boats” (and thus benefits everyone), Tidelift’s aims are two-fold: to provide application development teams with reliable, vetted, and maintained open source components, while also paying the maintainers of these components for their efforts. A typical enterprise might rely upon hundreds or thousands of open source projects, but only pay for and receive commercial support for the most visible of these like Linux or PostgreSQL. Tidelift wants to bring a broader range of components and libraries under management, especially as developers increasingly use package management systems such as npm. The company’s current tagline: “Managed open source. Backed by maintainers.”



Tidelift has one official product: the Tidelift Subscription. Aimed at application development teams, a Tidelift Subscription provides subscribers with access to a managed set of packages from community-led open source projects that are commonly found as application dependencies. The subscription currently includes Java, JavaScript, .NET, PHP, Python, and Ruby components (with future plans to include Go). Packages must meet certain guidelines and undergo vetting processes to be included in this curated set, with the result that subscribers are promised the following benefits for supported packages:

  • security updates
  • licensing verification and indemnification
  • maintenance and code improvements

A Tidelift Subscription also includes tools to help track dependencies, report issues, and create and enforce organization or team-specific policies (integrations with GitHub, GitLab and Bitbucket are also supported). A recently introduced catalogs feature allows subscribers to create their own customized catalogs, which draw from the larger set of catalogs managed by Tidelift. Subscribers can use this feature to organize packages and regulate or restrict availability to application developers based on organizational or team needs. This feature, which is based on the tools that Tidelift uses internally and with its maintainers (more on the maintainers below), gives subscribers greater flexibility in incorporating Tidelift into their own existing open source maintenance workflows and CI/CD pipelines. At present the following package managers are supported for catalogs: Maven, .NET, NPM, Packagist, Python Package Index (PyPI), and RubyGems.

Tidelift also provides setup and onboarding guidance—which may appeal particularly to organizations that are seeking to establish a process for better regulating and cataloging their usage of open source packages—and ongoing guidance on package and version selection.

Tidelift relies on the successful recruitment and retainment of maintainers in order to deliver the “backed by maintainers” segment of its value proposition. As such it has established various guides and guidelines for maintainers to ensure that their projects and maintenance processes meet the standards required to be included in the Tidelift Subscription. Maintainers get paid based on how many subscribers use a given package, and Tidelift also provides a tool to help prospective maintainers estimate the monthly income for a given package.

Go to Market & Competitive Landscape

The Tidelift Subscription is based on an enterprise subscription model, providing capabilities and support for open source packages that are more in line with those expected from commercial software. There are three Tidelift Subscription tiers (larger tiers also boast features such as additional indemnification protection):

  • Starter (for up to 25 developers)
  • Scale (for up to 100 developers)
  • Enterprise (for larger teams)

Tidelift boasts partnerships with AWS, Microsoft Azure and Google Cloud Platform as well as organizations who specialize in different parts of the app development and CI/CD pipeline such as GitHub, CloudBees, JFrog, and Sonatype.

As a two-sided market, Tidelift also must focus on bringing maintainers onto the platform. Notably, Tidelift often uses its blog space to highlight the addition of new packages to its subscription and to shine a spotlight on maintainers, in addition to dropping thought leadership pieces on open source. The mix reflects the varied audiences upon which Tidelift’s business model depends and signals a shift towards community building from a company that lives in open source without the luxury of relying on a single project- or language-specific community. To this end Tidelift also conducts a series of surveys around open source.

While there are efforts out there (such as GitHub Sponsors and the Open Collective) to put processes in place for folks to compensate open source maintainers for their work, Tidelift’s primary competition is with the internal adoption, usage, vetting, scanning, and maintenance processes practiced by individual organizations around open source components. Because the Tidelift Subscription model can work with or help refine these existing processes, the tools involved are best seen less as competition and more as part of a complementary toolset, with the added bonus that Tidelift provides pathways for resolving any security or maintenance issues that arise.


Disclosure: Tidelift is a RedMonk client, but this is an independent piece of research (not commissioned by Tidelift) and all opinions are our own. AWS, CloudBees, GitHub, GitLab, Google, Microsoft, and Red Hat are also RedMonk clients.


No Comments

Leave a Reply

Your email address will not be published. Required fields are marked *