 Welcome to this CUBE conversation. This is part of the second season of the AWS startup showcase. Season two, episode one, I'm Dave Nicholson and I am joined with a very special guest, CEO and co-founder of Tidelift, Mr. Donald Fisher. Donald, welcome to theCUBE. Thanks, David, really glad to be here. So first and foremost, tell us about Tidelift. Happy to, yeah. So at Tidelift, we're on mission. Our mission is to make open source software work better for everyone. And when we say that, we mean make it work better for all the organizations and governments and everybody that depends on open source software to build the applications that we all rely on. But also part of our mission is making open source work better for the creators of open source, the independent open source maintainers who are behind so many of those building blocks, technology building blocks that are commerce industry and society is comprised of these days. They've got a hard task to hold up all of that stuff and make sure that it meets professional grade standards and that we can all rely on it. And so we want to do our part to help both sides of that equation. Fantastic. Well, I want to double click on a few of the things that you said, but I think I want to format this by starting out with a little role play between the two of us, if you don't mind. I know you're CEO, but for the sake of this, you're going to be the CIO and I'm going to be the CEO and we're going to play off some recent events here. So, hey, Donald, come on in, sit down. Listen, I want to talk to you about this whole log shell, log for something or another thing that's going on. So let me get this straight. Our multinational Fortune 500 companies dependent upon software that's free and somehow we've been running this and the people who maintain it do it for free. We don't pay for it, but somehow this has opened us up to a threat from people who can log into a system we're using to keep track of stuff and then what's going on? By the way, you're fired, but I want to keep, I want to know if you can stay on for the next 90 days to train your replacement. But explain to me what's going on with this whole open source nonsense. Yeah, don't panic, boss. Only about 70 or 80% of the software in our enterprise that is third party open source software. So there's definitely like 20 or 30% that's not. And we're on top of it. Now, yeah, I think it's, you know, you're right to say we are completely dependent on this software that's being created by these, you know, amazing folks on the internet. Boss, you told me that we had to have a global corporation here with the modern digital customer experience. We're not going to be able to do it using Microsoft front page from 1997 and there's nothing else, no other path to take than to build with modern building blocks. And today in the modern era, that means building on open source packages and technologies across a whole slew of language ecosystems like JavaScript Java, PHP, Ruby, Python, .NET, Rust, Go. We use all of it here, boss. And we don't get to have a business unless we do. Okay, so I didn't understand a word that you just said but it was enough to convince me to let you keep your job. So, end scene, we're not getting paid scale wages to do this, Donald. So I think we can go back to our normal personas. So how does Tidelift play into all of this? I really want to hear about this concept of what an open source maintainer is because these are largely volunteers, aren't they? In terms of the maintenance that they're doing. Yeah, so I mean, there's a lot of different models for open source software development. There certainly are a number of foundational open source projects, certainly at the infrastructure level, like operating systems, databases and things like that that tend to be predominantly driven by vendors, software vendors, like you can think of Red Hat, VMware organizations like that. But when you get up to the application development world teams, building websites, web applications, mobile applications, most of the building blocks at that tier in these programming language ecosystems, most of the software there is actually being create that enterprise organizations use is being created by individual independent open source maintainers where it's not their day job. It's a side hustle for them. And it's a really interesting question, like how did we get here? It's, why are these folks doing it? It sort of rhymes with the question I asked myself years ago, like who's typing all the stuff into Wikipedia and why? Like it's amazing resource. I'm so glad it's there, but why are they doing this? And it turns out that there's a bunch of motivations or some cynical motivations for the open source maintainers that people attribute that are practical to, people say your GitHub repository is your resume in as a modern developer, things like that helps you get a reputation. You can use that to get a job. But when we've talked to the maintainers of the most widely used open source packages, and by that I mean thousands of packages that every major organization that builds software relies on, the main reason why they do it is actually impact we found, we find we've actually done direct surveys of this audience. And the reason why they spend their nights and weekends and carve out time where they could be getting paid to do something else or go and ski in or go into the beach is it really feels good to have this creative activity that they put out into the world. And they know that folks use this stuff and rely on it and there's a pride in their work and the impact that they're making. But the challenge with this model is that when it's only an impact in pride and sort of a good feeling driven effort, it means that maybe all of the things that organizations might want their standards that organizations might want their software to meet doesn't get done, right? Like it's one thing if you've got a job as a software engineer building corporate software or even as a maintainer at a corporate open source company and you have a checklist of standard enterprise software development, commercial grade software development tasks that you need to be completing. If you're doing it as a side hustle for good reasons like impact and releasing your creative juice, you might not get to some of the more boring aspects of commercial software engineering like security engineering and some of the documentation and release engineering and making sure there's structured metadata around all the elements of it. And that's the gap that we're really trying to fill at Tidelift by connecting these two audiences. Yeah, how? You want to fill the gap, you want to connect the audiences, but how do you do that? Yeah, perfect. So we do it by paying the maintainers, paying the open source maintainers actual dollars or the currency of their preference. And what we're paying them for is not just to sort of hack on their projects or hack on their projects more, we're asking them to help us ensure that the software that are the organizations that we work with depend on meets certain specific concrete enterprise standards. And those standards fall into three categories, security, licensing and maintenance. So on the security front, baseline standard there is making sure that we have known versions of the open source packages that are free of known defects. So there's like a catalog of known security defects that the industry uses called the National Vulnerability Database. You may have seen the terminology CVE referred to in passing. That's the identifier for these things. So we work with the open source maintainers to make sure that we've figured out, mapped out which versions of software packages are impacted by known security vulnerabilities. And then we also look forward and make sure that we have a plan in place for what happens in the future when there are security vulnerabilities. So traditional commercial software, there's a security response team who's kind of standing by 24 seven ready to respond. And then there's a defined protocol of what's going to happen in terms of what's called responsible disclosure, telling the right folks in the right sequence that there is a vulnerability causing there to be a patch version of the software available, communicating that through, traditional commercial software vendors for years have been doing that internally. That doesn't exist by default for volunteer part-time open source, independent open source maintainers. So we fill that gap and we pre-wire that with them to make sure that first track security is buttoned up. So you're paying them, are you and your co-founders, wealthy philanthropists that are just doing this or what's the business model here? Now you're paying these people who are doing it for free. They're happy, but how does that translate into a business model for Tidelift? Perfect, so the work that they're doing, I talked a little bit about security. We also do similar things on those other attributes like licensing, making sure that the licenses are completely accurate, and we kind of know who wrote the software, et cetera. And then maintenance, is it being proactively cared for going forward? Is somebody still on the case with these projects? Now, the results of all of that work is we create a vetted catalog of known good open source releases that we vetted with the experts, often the individuals and teams that wrote the code in the first place. Usually we vetted that it meets these enterprise standards. That's a really useful tool for organizations that are building with that. So the way that we convey that to organizations that are building software in a useful way is we have a SaaS service software as a service platform. That's what Tidelift is. And basically the teams that use this stuff, they plug us into their software development process, typically alongside other tools that they might have like CI CD tools that are running tests on their application logic. They'll plug in Tidelift into their release process to ensure that those, the 70 or 80% of the software that they ship that comes from GitHub, comes from the Python package index or NPM or the Maven central repository for Java. We're vetting that that meets their enterprise standards and ensuring that the ingredients, the building blocks that go into their applications are known good and vetted to these concrete standards. This is an unsolved problem for almost every serious organization. There's a couple of overperforming organizations like Google has done some amazing internal work on this. Amazon has an incredible dedicated team that does this internally for Amazon developers. Very few other organizations, even some of the largest multinational companies have a dedicated internal function doing this comprehensively and systematically. Tidelift is that function that these organizations can use. They can work with us and our network, our unique network of hundreds of these independent open source maintainers to ensure that there's a feed of known good vetted packages to go into their applications. So we're maintainers going in and auditing and editing and vetting software that was essentially created by others. That's one question. And then the other question that kind of goes along with that is, are you vetting a gold copy of something and saying this software meets certain criteria, you should feel okay using it? That's one thing. Validating that the actual distribution, the actual code that's being executed in their enterprise is secure and hasn't been tampered with is another thing. So where do you sit in that distribution channel or that supply chain? Sure. So on the distribution front, you can think of us, we're sort of a GPS system that your application developers can use to know which versions of software are going to meet your enterprise standards. We don't create a separate world where we have our own side copy of the entire development ecosystem. It's not what these organizations want. They don't want to use some weird enterprise world set of open source packages. They want to just type NPM install, have the software flow into their organization, but they also want it to not have no security vulnerabilities in it. And they don't want to get bitten two weeks or two years later with a license violation because there was kind of fuzzy or incomplete data around the open source license. So what we do is we help them consume the open source software, knowing that it's been vetted to these standards. And then we also work with the open source community to cause the software to be changed to meet those standards, right? So back to the first part of your question, we work with a lot of projects with the prime maintainers often the authors, as I said, and we've actually been extending our model over the years to work with these open source maintainers to cover not just their own project, but some of those neighboring projects, right? Like four projects that their project depends on, other projects that are co-used with them. They have a lot of expertise and also, you know, relationships with the surrounding open source community there. So they're working with us as curators, if you will, our ambassadors that help us get out in the community and cover as much of the landscape as possible. And so what's the relationship with AWS? This is, you know, we're talking here as part of the AWS startup showcase season two, episode one, which is that's actually pretty cool. So we need to, the challenge here is season one was awesome, much like Ted Lasso season two. We have big shoes to fill here, Donald. So what's the relationship with AWS? And I mean, why would they call you out as someone interesting for us to talk to? Yeah, so we've had a great relationship that we've been investing in and working on together with AWS. So every one of AWS's customers faces this challenge around the software workloads that they're deploying on AWS. You know, it's just, you can't argue against the fact that the vast majority of the application software in the modern world is comprised majority of this third party open source software. And so it's really important whether it's running on a device, you know, an edge device or whether it's running in a cloud data center that those applications meet these standards, especially on the security front. So AWS recognizes this need and opportunity for their customers. And so we've been working really well jointly with them. We're glad to say that we're an ISV, an AWS ISV Accelerate Partner now, which gives us the ability to co-engage with AWS and work together to solve mutual customers challenges. And we've had a great time working with the AWS team to help scale up our efforts to get the word out around this important area. And then more importantly, give organizations the tools to address it and make sure that they have a comprehensive strategy for managing their open source in place. Fantastic. Donald, we're up against time, but I do have a 10 second answer I'd like from you. TideLift, is that a reference to a rising tide lifting all boats? Or is it an admonishment not to build a house on the beach in Malibu? It's the former. You know, think about this network of independent open source maintainers working together, a rising tide lifts all boats. Eight seconds, that was like four seconds, perfect. Donald Fisher from TideLift, thank you so much. From me, Dave Nicholson here at theCUBE. This has been a CUBE conversation as part of AWS's startup showcase. Season two, episode one, come to theCUBE for the best in tech coverage.