Announcement

Tacit for Open Source

Tacit for Open Source

Feb 26, 2026

A free plan for projects that need one clear security status page to publish, track, and update vulnerability statements.

When we started building Tacit, one decision was immediate: open source projects should get access for free.

Open source sits at the center of the software supply chain. A single dependency can impact thousands of downstream products. When a vulnerability is discovered, the community doesn't just need a CVE ID. They need live context. They need to know which versions are actually affected, what the current investigation status is, and exactly where the fix is available.

Tacit exists to turn security findings into a trackable, readable public communication flow.

Not another Database. A Communication Layer.

It is important to distinguish between a Vulnerability Advisory Database and a Communication Platform:

  • NVD/OSV/CVE: These are data repositories. They are great for automation and broad indexing, but they are often "static" or slow to reflect the nuanced, evolving reality of a specific project.

  • Tacit: This is your Security Status Page. Just as you use a status page to communicate service uptime, you use Tacit to communicate security posture. It’s the source of truth where you control the narrative, providing real-time updates as you triage, patch, and release.

Moving Beyond Static Advisories

Most projects currently post security info in fragmented ways such as a Markdown file in a repo or a GitHub Advisory. While these work for a "moment in time," they fail as the situation evolves.

The advantage of Tacit is persistence and clarity. It acts as a hub where users can follow a specific product and version to see a live "Statement of Health." Instead of re-reading three different release notes to see if a backport happened, a user checks your Tacit page and sees the current state of play.

What’s included in the Open Source Plan?

The Open Source plan is $0/month. It is designed to be public-by-default, ensuring that security information is never gated behind a paywall.

1. Unlimited Watchers & Members

Open source security is a team sport. We don't believe in "per-seat" friction for community projects.

  • For Maintainers: Add as many team members as you need to map your organization’s workflow.

  • For Users: There is no limit on "Watchers." Anyone can subscribe to your project’s page to receive instant notifications via email, SMS, or the in-app feed.

2. SBOM Import + Daily Analysis

This is your detection foundation. You can import your SBOMs via our web app or API. Tacit then performs a scheduled analysis (1 scan/day) to keep your baseline signal consistent. It’s the bridge between what’s in your code and what you need to tell the world.

3. Live Triage Statuses

Avoid the "noise" of raw vulnerability data. Tacit provides structured triage statuses so you can clearly communicate:

  • Under Investigation: We’re looking into it.

  • Not Applicable: The code exists but the vulnerability isn't exploitable here.

  • Applicable: The vulnerability is confirmed and affects this version. Users should prepare for a patch or apply workarounds.

  • Fixed: Here is the patch/version you need.

4. Public Disclosure & Instant Notifications

This plan is public by default because transparency is the backbone of open source. When you update a statement, your watchers are notified instantly through their preferred channel. They don't have to "check back later", you push the truth to them.

Eligibility

This plan is for genuine open source projects that prioritize transparency. To qualify:

  • The project must be publicly accessible and under a recognized open-source license.

  • The Tacit workspace must be used for public disclosure.

If your organization requires private disclosure flows, gated audiences, or internal-only staging areas, our Pro or Enterprise plans will be a better fit.

Get Started

When we started building Tacit, one decision was immediate: open source projects should get access for free.

Open source sits at the center of the software supply chain. A single dependency can impact thousands of downstream products. When a vulnerability is discovered, the community doesn't just need a CVE ID. They need live context. They need to know which versions are actually affected, what the current investigation status is, and exactly where the fix is available.

Tacit exists to turn security findings into a trackable, readable public communication flow.

Not another Database. A Communication Layer.

It is important to distinguish between a Vulnerability Advisory Database and a Communication Platform:

  • NVD/OSV/CVE: These are data repositories. They are great for automation and broad indexing, but they are often "static" or slow to reflect the nuanced, evolving reality of a specific project.

  • Tacit: This is your Security Status Page. Just as you use a status page to communicate service uptime, you use Tacit to communicate security posture. It’s the source of truth where you control the narrative, providing real-time updates as you triage, patch, and release.

Moving Beyond Static Advisories

Most projects currently post security info in fragmented ways such as a Markdown file in a repo or a GitHub Advisory. While these work for a "moment in time," they fail as the situation evolves.

The advantage of Tacit is persistence and clarity. It acts as a hub where users can follow a specific product and version to see a live "Statement of Health." Instead of re-reading three different release notes to see if a backport happened, a user checks your Tacit page and sees the current state of play.

What’s included in the Open Source Plan?

The Open Source plan is $0/month. It is designed to be public-by-default, ensuring that security information is never gated behind a paywall.

1. Unlimited Watchers & Members

Open source security is a team sport. We don't believe in "per-seat" friction for community projects.

  • For Maintainers: Add as many team members as you need to map your organization’s workflow.

  • For Users: There is no limit on "Watchers." Anyone can subscribe to your project’s page to receive instant notifications via email, SMS, or the in-app feed.

2. SBOM Import + Daily Analysis

This is your detection foundation. You can import your SBOMs via our web app or API. Tacit then performs a scheduled analysis (1 scan/day) to keep your baseline signal consistent. It’s the bridge between what’s in your code and what you need to tell the world.

3. Live Triage Statuses

Avoid the "noise" of raw vulnerability data. Tacit provides structured triage statuses so you can clearly communicate:

  • Under Investigation: We’re looking into it.

  • Not Applicable: The code exists but the vulnerability isn't exploitable here.

  • Applicable: The vulnerability is confirmed and affects this version. Users should prepare for a patch or apply workarounds.

  • Fixed: Here is the patch/version you need.

4. Public Disclosure & Instant Notifications

This plan is public by default because transparency is the backbone of open source. When you update a statement, your watchers are notified instantly through their preferred channel. They don't have to "check back later", you push the truth to them.

Eligibility

This plan is for genuine open source projects that prioritize transparency. To qualify:

  • The project must be publicly accessible and under a recognized open-source license.

  • The Tacit workspace must be used for public disclosure.

If your organization requires private disclosure flows, gated audiences, or internal-only staging areas, our Pro or Enterprise plans will be a better fit.

Get Started

More articles

More articles

Tacit for Open Source

Tacit for Open Source

Feb 26, 2026

Announcement

Green Fern
Green Fern
Green Fern

Introducing Tacit

Introducing Tacit

Feb 24, 2026

Announcement

Product

© 2026 Tacit. All rights reserved.

Privacy

Terms of Service

Privacy

Terms of services

© 2026 Tacit. All rights reserved.

Privacy

Terms of services

© 2026 Tacit. All rights reserved.