Sonar to Acquire Tidelift, Scaling Open Source Maintainer Support

Sonar, a code quality and security solutions company used by 7M developers, announced it will be acquiring Tidelift, in deal that highlights a growing emphasis on securing open source software.

Tidelift's focus has been on improving open source sustainability through maintainer partnerships and providing health assessments of open source packages. The company’s unique approach pays maintainers of thousands of open source packages to make their projects healthier and more secure.

Sonar’s acquisition enables it to integrate these capabilities into its broader platform, which addresses code quality for internally written and AI-generated code. Combined, the companies will focus on improving the quality, health, and visibility of open source components, and enable Tidelift to scale its current capabilities.

“In an important way, given Sonar's focus on code quality, this is my career coming full circle,” Tidelift co-founder Luis Villa said. “Software quality is where I first volunteered in open, with Mozilla's bugzilla, and then got my first open source job with Ximian, QAing GNOME.

“This time around, though, building quality software has changed a lot. It's not just that software is now vastly more complex, and entirely dependent on a web of underappreciated and underpaid maintainers. There is also more law (and more regulation) pressing everyone to build robust, reliable software.”

Earlier this year, Tidelift’s State of the Open Source Maintainer report highlighted the concerning state of burnout among maintainers. According to the survey, 60% of maintainers are still not paid for their work and 60% are considering quitting. The vast majority of them are supporting their projects as solo maintainers. Unsurprisingly, the survey found that paid maintainers are able to create more secure software. As noted by Tidelift’s CEO Donald Fischer, "Paid maintainers are 55% more likely to implement critical security and maintenance practices than unpaid maintainers."

This acquisition is a milestone in Tidelift's journey as an important player in the industry working on improving open source sustainability. By financially supporting maintainers through its model, Tidelift is wrangling one of the fundamental challenges of open source security: underfunded and overburdened maintainers. Its acquisition by Sonar represents both a validation of Tidelift's approach to maintainer support and an opportunity to potentially scale this model to reach more of the open source ecosystem.

A Broader Shift Toward Sustainable Open Source Funding#

This reflects a growing recognition across the industry that securing the open source ecosystem requires not just better tools, but also better support for the people maintaining it. Tidelift isn’t the only one addressing this challenge. Initiatives like Ecosystem Funds, Open Source Collective’s new collaboration with Ecosyste.ms, and platforms such as GitHub Sponsors are also stepping in to provide maintainers with financial support and resources to sustain their work effectively.

Ecosystem Funds launched earlier this month to provide organizations with a streamlined way to support the deep dependencies that power their software. Rather than requiring companies to identify and fund individual packages manually, Ecosystem Funds enables sponsors to direct resources to entire ecosystems—such as Python, Rust, or JavaScript—without the overhead of figuring out where the money should go.

This approach represents a significant evolution in how open source is funded. Historically, much of the funding for open source has been concentrated on high-profile projects, leaving smaller but equally critical components underfunded. Ecosystem Funds aims to address this imbalance by redistributing resources across a broader range of projects within each ecosystem.

At the heart of these developments is the need to ensure the sustainability of open source software. Like Tidelift, the Open Source Collective acknowledges that many open source projects are maintained by individuals or small teams who often lack the time or resources to prioritize security and maintainability. By creating a transparent and traceable funding system, Ecosystem Funds reduces friction for sponsors while ensuring that critical projects—and their maintainers—receive the support they need.

The Ecosystem Funds model also complements Tidelift’s approach by targeting a similar challenge: the need to scale funding mechanisms to reach more of the open source ecosystem. Where Tidelift works directly with maintainers to improve project health, Ecosystem Funds takes a higher-level approach by empowering ecosystems as a whole. Together, these strategies point to a future where the open source community can rely on more predictable, sustainable funding to meet growing demands.

The convergence of Tidelift’s approach and initiatives like Ecosystem Funds signals a broader industry trend: organizations are seeking systematic, scalable ways to fund open source. Whether through direct maintainer payments or ecosystem-based sponsorships, the goal remains the same—to ensure the long-term health and security of the software infrastructure modern applications rely on.This shift is becoming increasingly critical as the open source ecosystem grapples with the growing challenge of maintainers spiraling toward burnout, struggling to meet the demands of sustaining critical projects without adequate support.