It's Not Enough to Just Hope for Secure Open Source Software
September 30, 2024

Lauren Hanford
Tidelift

If you are like many developers, your work relies heavily on open source code. But do you ever stop to consider where this code comes from and what motivates the people who write it to keep it maintained and secure? We recently surveyed over 400 open source maintainers to learn more about their work, including how they fund it and what kinds of security and maintenance practices they have in place. Here are a few of the most critical findings we uncovered that impact development teams relying heavily on open source.

60% of maintainers are not paid for their work

Would it surprise you to find out that the majority of open source packages are maintained by completely unpaid hobbyist volunteers?

And that very few packages are maintained by full-time paid professional maintainers?


Unfortunately volunteer maintainers are the norm and not the exception today. Our study found that 60% of maintainers describe themselves as unpaid hobbyists while only 12% are professional maintainers, who earn most of their income from maintaining their projects. Another 24% of maintainers identify as semi-professional maintainers and earn some of their income from maintaining projects.

Meanwhile, maintainers who get paid more are also able to devote more time to maintaining their open source projects. We asked maintainers how much time they spend on their maintenance work, then cut the data into three categories: professional maintainers, semi-professional maintainers, and unpaid hobbyists.


For professional maintainers, 82% are able to devote more than 20 hours per week to their maintenance work. Conversely only 8% of unpaid hobbyists devote more than 20 hours per week, and the vast majority (78%) devote 10 hours per week or less.

Question to address within your team: what is our strategy to replace deeply nested open source projects if the maintainer isn't able to devote enough time to keeping it secure and well maintained due to time and financial constraints?

Paid maintainers implement more critical security and maintenance practices than unpaid maintainers

So what is the impact of having so many maintainers as unpaid hobbyist volunteers?

It means that they can't afford to make the time to do the same security and maintenance work that paid maintainers can do — and they often don't.

We asked maintainers to tell us if they had implemented 16 important security and maintenance practices for their projects. Paid maintainers are on average 55% more likely to have implemented these critical practices than unpaid maintainers.

When it comes to key practices, like having a security disclosure plan, having signed releases and artifact provenance, and fixes and recommendations for vulnerabilities, paid maintainers were significantly more likely to have implemented the practices than unpaid maintainers, as you see in the chart included here.


Questions to address within your team: how much do you know about the security and maintenance practices followed by the maintainers of the open source projects you rely on most? Which of these practices would you expect to be in place for the code you write yourselves?

Maintainers are underpaid, underappreciated and stressed out

Each year in our survey, we ask maintainers to tell us what they dislike most about their work. The answers stay remarkably consistent. The number 1 thing maintainers dislike is that they are not financially compensated enough or at all for their work, with exactly half of maintainers choosing this reply. Slightly less than half of maintainers (48%) report that they feel underappreciated or like the work is thankless. And 43% of maintainers say the work adds to their personal stress. Meanwhile 39% of maintainers dislike that they are asked to comply with requirements they don't have the time for and the same percentage think that users are too demanding and expect too much of them.

Maintainers had a lot to say on this subject. As one open source maintainer told us, "the entitlement of the open source community is off the charts." Another maintainer observed that "most users, even ones who require fixes, are not willing to roll up their sleeves to help. They just expect someone else to fix it for free."

Against this backdrop it may come as no surprise that 60% of maintainers have either quit or considered quitting their maintenance work.


Questions to address within your team: do we know which packages we rely on have been or are at risk of being abandoned or declared end of life? What is our strategy if we need to rip and replace up to 60% of our open source? Are we prepared to fork and maintain it ourselves?

How can you contribute to the health and security of the open source software your organization depends on?

It does not require a PhD in economics to understand that when people are paid, they will do more than when they are not paid, and that the more you pay them, the more they are willing to do. But this year's survey gives us a few different lenses through which to explore the improvements organizations can expect to see when they prioritize paying the maintainers of the projects they use. If having healthy, well-maintained, and secure open source dependencies is a priority for your organization, ensuring your maintainers themselves are financially healthy and well-maintained should be a priority, too.

Lauren Hanford is VP of Product at Tidelift
Share this

Industry News

May 15, 2025

GitLab announced the launch of GitLab 18, including AI capabilities natively integrated into the platform and major new innovations across core DevOps, and security and compliance workflows that are available now, with further enhancements planned throughout the year.

May 15, 2025

Perforce Software is partnering with Siemens Digital Industries Software to transform how smart, connected products are designed and developed.

May 15, 2025

Reply launched Silicon Shoring, a new software delivery model powered by Artificial Intelligence.

May 15, 2025

CIQ announced the tech preview launch of Rocky Linux from CIQ for AI (RLC-AI), an operating system engineered and optimized for artificial intelligence workloads.

May 14, 2025

The Linux Foundation, the nonprofit organization enabling mass innovation through open source, announced the launch of the Cybersecurity Skills Framework, a global reference guide that helps organizations identify and address critical cybersecurity competencies across a broad range of IT job families; extending beyond cybersecurity specialists.

May 14, 2025

CodeRabbit is now available on the Visual Studio Code editor.

The integration brings CodeRabbit’s AI code reviews directly into Cursor, Windsurf, and VS Code at the earliest stages of software development—inside the code editor itself—at no cost to the developers.

May 14, 2025

Chainguard announced Chainguard Libraries for Python, an index of malware-resistant Python dependencies built securely from source on SLSA L2 infrastructure.

May 14, 2025

Sysdig announced the donation of Stratoshark, the company’s open source cloud forensics tool, to the Wireshark Foundation.

May 13, 2025

Pegasystems unveiled Pega Predictable AI™ Agents that give enterprises extraordinary control and visibility as they design and deploy AI-optimized processes.

May 13, 2025

Kong announced the introduction of the Kong Event Gateway as a part of their unified API platform.

May 13, 2025

Azul and Moderne announced a technical partnership to help Java development teams identify, remove and refactor unused and dead code to improve productivity and dramatically accelerate modernization initiatives.

May 13, 2025

Parasoft has added Agentic AI capabilities to SOAtest, featuring API test planning and creation.

May 13, 2025

Zerve unveiled a multi-agent system engineered specifically for enterprise-grade data and AI development.

May 12, 2025

LambdaTest, a unified agentic AI and cloud engineering platform, has announced its partnership with MacStadium(link is external), the industry-leading private Mac cloud provider enabling enterprise macOS workloads, to accelerate its AI-native software testing by leveraging Apple Silicon.

May 12, 2025

Tricentis announced a new capability that injects Tricentis’ AI-driven testing intelligence into SAP’s integrated toolchain, part of RISE with SAP methodology.