Tidelift raises $27M to secure open-source supply chain

Today, open-source supply chain security provider Tidelift announced it has raised $27 million as part of a series C funding round led by Dorilton Ventures. The funding will enable the organization to help mitigate health and security issues in open-source software. 

Tidelift’s open-source management solution, the Tidelift subscription, provides enterprises with a tool to create, track and manage catalogs of approved open-source components so they can avoid using insecure components in their environments. 

The organization also partners with the maintainers of thousands of open-source projects to evaluate the security of components, and gather advice on vulnerabilities. 

It’s an approach designed to enable application development teams to quickly identify secure open-source tools while avoiding implementing any vulnerabilities in the environment that unscrupulous attackers could exploit. 

Cracking down on open-source vulnerabilities 

The announcement comes amid an industry-wide crackdown on open-source threats, with the White House Open Source Security Summit II recently taking place earlier this month, and companies including Amazon, Meta, Google, Microsoft, Ericsson, Red Hat and Oracle pledging $10 million annually to help improve open-source security.

Tidelift is one of the providers in the community playing a direct role in securing the open-source supply chain, partnering with the maintainers of open-source projects, and paying them to improve the health and security of their solutions, while providing development teams with a solution for adding new components into the workflow.

“We help developers move fast by streamlining the development process to remote obstacles that slow down application development. Development teams can improve decision making with contextually relevant, maintainer-originated data made available directly in the software development lifecycle,” said cofounder and CEO of Tidelift, Donald Fischer. 

“They can also create a catalog of prevetted, approved open-source components that reduces duplicative work and accelerates development,” Fischer said.

The providers addressing open-source supply chain security 

Tidelift’s investment also coincides with the wider growth of the global security and vulnerability management market, which researchers project will grow from $13.8 billion in 2021 to $18.7 billion by 2026, as more organizations look to secure their environments and the software supply chain against threat actors. 

The organization is competing against a range of providers including FOSSA, which raised $23.2 million in funding as part of a series B funding round in 2020, and provides an open-source management platform with zero-configuration scanning for application vulnerabilities, end-to-end third-party code management, and license compliance. 

Another key competitor is Snyk, a solution that can automatically identify and remediate vulnerabilities in code, dependencies or containers with security intelligence. 

Snyk most recently raised $530 million and achieved an $8.5 billion valuation in September last year, making it one of the biggest providers focusing on securing the software supply chain. 

However, one of the key differentiators of Tidelift as a solution in the market is the organization’s partnership with the maintainers of open-source projects. 

“We partner with them to ensure projects are enterprise-ready, meeting clearly defined security, licensing and maintenance standards. And we pay them for the additional value they create by maintaining their projects to enterprise standards,” Fischer said.