Chris Grams’ Post

As of this morning, the 2024 Tidelift maintainer survey is now open and accepting responses! 📬 If you are an open source maintainer and fill out the survey, we'll send you the 👉 trippy new pay the maintainers t-shirt 👈 we made for Upstream this year. If you are a lifter (one of Tidelift's maintainer partners), we'll also send you a special new Tidelift lifter hoodie! 🙌 The data we've collected in our first two maintainer surveys has been widely cited to help make the case for investing more in the maintainer ecosystem, so every response we get helps make the dataset more robust and useful. Tagging the lifters I know are on LinkedIn in the hopes that you'll share this here or anywhere you hang out with other maintainers. Thanks in advance Jordan Harband Seth Michael Larson Jeffrey Clark Valeri Karpov Wesley Beary Gary Gregory Tatu Saloranta Ned Batchelder Andres Almiray Forbes Lindesay Jason R. Coombs Jesse McConnell Pelle Wessman Reinier Zwitserloot Stephen Colebourne for any help you can provide to spread the word! 🙏 Survey link below, my blog post announcing the survey, and links to previous survey reports in the comments! https://lnkd.in/g-MRuH5u

James Berthoty is a unicorn in the software security space who communicates about complex subjects clearly. 🦄 In this clip from his excellent Upstream talk a few weeks ago, he argues that if organizations are going to see open source maintainers as vendors, they actually need to treat them like they would treat any of their other vendors. From the talk: "We call open source maintainers vendors when we treat them like vendors, and we publish CVEs and expect them to fix them as if they are contractors. So we should actually 👉 pay them and have some kind of contract in place 👈 as though they are vendors or contractors to establish the relationship ahead of time. It's 👉 extremely unfair 👈 how we expect them to patch CVEs without having any formal relationship to us." 🎤 💧 💪 Watch the full talk here: https://lnkd.in/g3cUDzWY cc: Tidelift

A few months ago I went to the RSA Conference for the first time and, as a professional communicator, I'm not gonna lie, I was bummed by what I saw there. 😳 My friends, the state of clear communication in the software security industry is... not strong. 🥨 Part of it is simply that we exist in a complicated, confusing space, with lots of edge solutions that address one small part of an overwhelmingly large security problem. But there is also just a lot of meaningless jargon and acronyms, abstract messaging that is too technical or not technical enough, and a !@#$ton of FUD. I came back wanting to see if Tidelift could do our part to communicate better, try to simplify what we do into words actual humans use. Here's one result of that effort: a new three minute video explanation of what Tidelift does and how we help our customers, coming from a very simple premise: 1️⃣ Problem: Using bad open source packages slows teams down and creates risk to organizations' revenue, data, and customers. 2️⃣ How Tidelift helps: Tidelift helps organizations proactively reduce their reliance on bad open source packages. 3️⃣ Why we are different than any other solution: We are the only company that partners with the maintainers of 1000s of the most-relied-upon open source packages and pays them to make their packages healthier and more secure. Take a watch, see how you think we did! 📽 Thanks also for Kanishka S. for his leadership on this project + my long time video collaborator Tim Kiernan and Peter Sperrazza for their excellent production and animation work! You can also access the video on youtube here: https://lnkd.in/g2n93_mn

Dropping some interesting news this morning as our own Lauren Hanford here at Tidelift HQ 🏢 announced that we've expanded our dataset to include open source package version-level end of life data and additional reporting capabilities. Full blog post with the announcement is here: https://lnkd.in/gWBT695h So why does this matter? Because packages and versions that have been declared end of life 🚨 no longer receive security updates 🚨 , many Tidelift customers have been looking to get a better handle on which versions of packages they are using directly or pulling in as transitive dependencies have been marked as end of life. The answer is often a bit scarier than they think 😅 , especially when it comes to transitive dependencies, so these new capabilities help our customers get a handle on exactly what the EOL risk looks like today AND 👉 get a sense for which packages represent the biggest risk 👈 so they can triage the important stuff first. As an example, check out this graphic below. This shows how a customer could quickly prioritize which end of life packages and versions to update first based on CVE scores + how many version majors behind the package/version is + how many applications are relying on it within the organization. The red circle shows a package that is relied on by 47 applications and is 3.5 majors behind with a CVE score of 9.8. I'd hit that one first! 🎯 Conversely, the green circle represents a package that is only 1.8 majors behind, with a CVE score of 4.3, and only 4 apps use it. Could save that one to fix on a rainy day! 🌧 For organizations that are overwhelmed with vulnerability reports and struggling to figure out where to prioritize the efforts, this represents a HUGE step forward in smartly reducing application risk. Cool stuff!

Thrilled to see that Kim Jokisch is now sharing her deep knowledge about culture, strategy, and coaching / learning / growing leaders with the world. If you are looking for a professional coach to help you continue to thrive in your career, I highly recommend Kim, whom I've worked with and collaborated with in many different capacities over um... let's say... years. Check out her website 👇 .