Unpaid open source maintainers struggle with increased security demands
Ensuring the security of the open-source software that modern organizations depend on is a crucial responsibility of the open source maintainers, especially as attacks on the software supply chain are increasingly common, according to Tidelift.
Open source software security
In response, the US government initiated a large-scale cybersecurity initiative beginning with White House Executive Order 14028: Improving the Nation’s Cybersecurity, which led to a codification of secure development best practices in the NIST Secure Software Development Framework.
More recently, the National Cybersecurity Strategy sets a new precedent for software security liability, with the government intending to hold software producers liable for damages caused by preventable security vulnerabilities and offer liability protections to organizations that can show they follow secure software development practices.
At the same time, industry leaders have come together to identify best practices and standards that will improve open source software security; such as the Open Software Security Foundation (OSSF) Scorecards Project and Supply Chain Levels for Software Artifacts Framework (SLSA).
Open source maintainers take on additional work to meet standards
In analyzing the survey responses of over 300 maintainers—the people who create and maintain open source software projects—one common thread is that maintainers are being asked to take on additional work to meet government and industry standards and would be increasingly motivated to learn more about those standards and how to apply them to their packages if they had the resources and compensation to do the work.
This is currently not the case, as 60% of maintainers describe themselves as unpaid hobbyists, while only 13% describe themselves as professional maintainers who earn most or all of their income from maintaining projects.
“Since almost all organizations rely heavily on open source in their applications, this new data demonstrates the increasing need to compensate and support the maintainers responsible for the health and security of the critical open source components we all depend on,” said Donald Fischer, CEO, Tidelift.
“Maintainers are being held accountable for keeping their projects secure and adhering to new standards, but are often not being recognized or paid for the additional work they are being asked to do. By addressing this inconsistency, we can ensure maintainers will continue their important work improving the security and long-term resilience of the open source software supply chain powering government and industry,” Fischer continued.
What researchers have found:
Despite increasing demands, most maintainers still don’t get paid for their work
60% of maintainers describe themselves as unpaid hobbyists, while only 13% describe themselves as professional maintainers earning most or all of their income from maintaining projects. 23% of maintainers describe themselves as semi-professionals, earning some of their income from maintaining projects.
The more maintainers get paid, the more they work on open source. 81% of professional maintainers spend more than 20 hours per week maintaining their projects, compared to 27% of semi-professional maintainers, and only 7% of unpaid hobbyist maintainers.
Maintainers are being asked to do more security work. Over 50% didn’t get the memo
Over 50% of maintainers are not aware of new security standards initiatives like OSSF scorecards, SLSA, and the NIST SSDF.
Of the maintainers aware of one or more of these standards, 43% have already begun work to align to these industry standards or plan to begin work within the next year.
39% have no plans to align to these industry standards and 19% are still on the fence, reporting that they either do not know or are not sure whether they will do the work to ensure their packages align with these industry standards.
Maintainers to industry: We don’t have the time nor money to do more
38% of maintainers who do not plan to align their projects with industry standards say they just don’t have the time, while 37% won’t do it because they are not being paid for the work.
54% of maintainers would appreciate help so they can better understand these new standards and how they apply to their project, while 47% of maintainers want to be paid for undertaking the work needed to align their projects with the new standards.
Paid maintainers do more security and maintenance work than unpaid maintainers
Across every practice asked about, paid maintainers were more likely to have implemented it or have it on the roadmap. More than 50% of paid maintainers have implemented or plan to implement 12 out of 16 common security and maintenance practices. Unpaid maintainers? Only 5 out of 16.
The gaps between unpaid and paid maintainers on some important security and maintenance practices are substantial, led by formal backwards compatibility policy (39% unpaid, 71% paid, 32% gap), defined dependency management process (26% unpaid, 57% paid, 31% gap), reproducible and verifiable build processes (47% unpaid, 77% for paid, gap 30%), security disclosure plan (42% unpaid, 69% paid, gap 27%) and providing fixes and recommendations for vulnerabilities (43% unpaid, 69% paid, gap 26%).