BOSTON, May 2, 2023 -- Tidelift, a provider of solutions for improving the security and resilience of the open source software powering modern applications, today released the 2023 State of the Open Source Maintainer Report. Against a backdrop of increasing urgency and attention to software security from government and industry, the report provides insights into the critical work of the open source maintainers responsible for ensuring the security of the open source software modern organizations rely on.
Software security is an important challenge and attacks on the software supply chain are becoming more frequent. In response, the U.S. government initiated a large-scale cybersecurity initiative beginning with White House Executive Order 14028: Improving the Nation’s Cybersecurity, which led to a codification of secure development best practices in the NIST Secure Software Development Framework. More recently, the National Cybersecurity Strategy sets a new precedent for software security liability, with the government intending to hold software producers liable for damages caused by preventable security vulnerabilities and offer liability protections to organizations that can show they follow secure software development practices.
At the same time, industry leaders have come together to identify best practices and standards that will improve open source software security; such as the Open Software Security Foundation (OSSF) Scorecards Project and Supply Chain Levels for Software Artifacts Framework (SLSA).
In analyzing the survey responses of over 300 maintainers—the people who create and maintain open source software projects—one common thread is that maintainers are being asked to take on additional work to meet government and industry standards and would be increasingly motivated to learn more about those standards and how to apply them to their packages if they had the resources and compensation to do the work.
This is currently not the case, as 60% of maintainers describe themselves as unpaid hobbyists, while only 13% describe themselves as professional maintainers who earn most or all of their income from maintaining projects.
“Since almost all organizations rely heavily on open source in their applications, this new data demonstrates the increasing need to compensate and support the maintainers responsible for the health and security of the critical open source components we all depend on,” said Donald Fischer, co-founder and CEO, Tidelift. “Maintainers are being held accountable for keeping their projects secure and adhering to new standards, but are often not being recognized or paid for the additional work they are being asked to do. By addressing this inconsistency, we can ensure maintainers will continue their important work improving the security and long-term resilience of the open source software supply chain powering government and industry.”
Key Findings:
Despite increasing demands, most maintainers still don’t get paid for their work.
Maintainers are being asked to do more security work. Over 50% didn’t get the memo.
Maintainers to industry: We don’t have the time nor money to do more.
Paid maintainers do more security and maintenance work than unpaid maintainers.
Download a copy of the full survey report here.
About Tidelift
Tidelift, a 2022 Gartner Cool Vendor, helps organizations improve the resilience of the open source software powering modern applications. Its proactive, maintainer-backed approach to managing the open source software supply chain reduces risk and increases development velocity, so development teams can create more incredible software, even faster. https://tidelift.com/
Contact:
Kristen Wiltse
KW Communications
978-578-4047
kwiltse@comcast.net