It's Not Enough to Just Hope for Secure Open Source Software
September 30, 2024

Lauren Hanford
Tidelift

If you are like many developers, your work relies heavily on open source code. But do you ever stop to consider where this code comes from and what motivates the people who write it to keep it maintained and secure? We recently surveyed over 400 open source maintainers to learn more about their work, including how they fund it and what kinds of security and maintenance practices they have in place. Here are a few of the most critical findings we uncovered that impact development teams relying heavily on open source.

60% of maintainers are not paid for their work

Would it surprise you to find out that the majority of open source packages are maintained by completely unpaid hobbyist volunteers?

And that very few packages are maintained by full-time paid professional maintainers?


Unfortunately volunteer maintainers are the norm and not the exception today. Our study found that 60% of maintainers describe themselves as unpaid hobbyists while only 12% are professional maintainers, who earn most of their income from maintaining their projects. Another 24% of maintainers identify as semi-professional maintainers and earn some of their income from maintaining projects.

Meanwhile, maintainers who get paid more are also able to devote more time to maintaining their open source projects. We asked maintainers how much time they spend on their maintenance work, then cut the data into three categories: professional maintainers, semi-professional maintainers, and unpaid hobbyists.


For professional maintainers, 82% are able to devote more than 20 hours per week to their maintenance work. Conversely only 8% of unpaid hobbyists devote more than 20 hours per week, and the vast majority (78%) devote 10 hours per week or less.

Question to address within your team: what is our strategy to replace deeply nested open source projects if the maintainer isn't able to devote enough time to keeping it secure and well maintained due to time and financial constraints?

Paid maintainers implement more critical security and maintenance practices than unpaid maintainers

So what is the impact of having so many maintainers as unpaid hobbyist volunteers?

It means that they can't afford to make the time to do the same security and maintenance work that paid maintainers can do — and they often don't.

We asked maintainers to tell us if they had implemented 16 important security and maintenance practices for their projects. Paid maintainers are on average 55% more likely to have implemented these critical practices than unpaid maintainers.

When it comes to key practices, like having a security disclosure plan, having signed releases and artifact provenance, and fixes and recommendations for vulnerabilities, paid maintainers were significantly more likely to have implemented the practices than unpaid maintainers, as you see in the chart included here.


Questions to address within your team: how much do you know about the security and maintenance practices followed by the maintainers of the open source projects you rely on most? Which of these practices would you expect to be in place for the code you write yourselves?

Maintainers are underpaid, underappreciated and stressed out

Each year in our survey, we ask maintainers to tell us what they dislike most about their work. The answers stay remarkably consistent. The number 1 thing maintainers dislike is that they are not financially compensated enough or at all for their work, with exactly half of maintainers choosing this reply. Slightly less than half of maintainers (48%) report that they feel underappreciated or like the work is thankless. And 43% of maintainers say the work adds to their personal stress. Meanwhile 39% of maintainers dislike that they are asked to comply with requirements they don't have the time for and the same percentage think that users are too demanding and expect too much of them.

Maintainers had a lot to say on this subject. As one open source maintainer told us, "the entitlement of the open source community is off the charts." Another maintainer observed that "most users, even ones who require fixes, are not willing to roll up their sleeves to help. They just expect someone else to fix it for free."

Against this backdrop it may come as no surprise that 60% of maintainers have either quit or considered quitting their maintenance work.


Questions to address within your team: do we know which packages we rely on have been or are at risk of being abandoned or declared end of life? What is our strategy if we need to rip and replace up to 60% of our open source? Are we prepared to fork and maintain it ourselves?

How can you contribute to the health and security of the open source software your organization depends on?

It does not require a PhD in economics to understand that when people are paid, they will do more than when they are not paid, and that the more you pay them, the more they are willing to do. But this year's survey gives us a few different lenses through which to explore the improvements organizations can expect to see when they prioritize paying the maintainers of the projects they use. If having healthy, well-maintained, and secure open source dependencies is a priority for your organization, ensuring your maintainers themselves are financially healthy and well-maintained should be a priority, too.

Lauren Hanford is VP of Product at Tidelift
Share this

Industry News

October 03, 2024

Check Point® Software Technologies Ltd. announced its position as a leader in The Forrester Wave™: Enterprise Firewalls, Q4 2024 report.

October 03, 2024

Sonar announced two new product capabilities for today’s AI-driven software development ecosystem.

October 03, 2024

Redgate announced a wide range of product updates supporting multiple database management systems (DBMS) across its entire portfolio, designed to support IT professionals grappling with today’s complex database landscape.

October 03, 2024

Elastic announced support for Google Cloud’s Vertex AI platform in the Elasticsearch Open Inference API and Playground.

October 02, 2024

Progress announced the recipients of its 2024 Women in STEM Scholarship Series.

October 02, 2024

SmartBear has integrated the load testing engine of LoadNinja into its automated testing tool, TestComplete.

October 01, 2024

Check Point® Software Technologies Ltd. announced the completion of its acquisition of Cyberint Technologies Ltd., a highly innovative provider of external risk management solutions.

October 01, 2024

Lucid Software announced a robust set of new capabilities aimed at elevating agile workflows for both team-level and program-level planning.

October 01, 2024

Perforce Software announced the Hadoop Service Bundle, a new professional services and support offering from OpenLogic by Perforce.

October 01, 2024

CyberArk announced the successful completion of its acquisition of Venafi, a provider of machine identity management, from Thoma Bravo.

October 01, 2024

Inflectra announced the launch of its AI-powered SpiraApps.

October 01, 2024

The former Synopsys Software Integrity Group has rebranded as Black Duck® Software, a newly independent application security company.

September 30, 2024

Check Point® Software Technologies Ltd. announced that it has been recognized as a Visionary in the 2024 Gartner® Magic Quadrant™ for Endpoint Protection Platforms.

September 30, 2024

Harness expanded its strategic partnership with Google Cloud, focusing on new integrations leveraging generative AI technologies.

September 30, 2024

OKX announced the launch of OKX OS, an onchain infrastructure suite.