Paid open-source maintainers spend more time on security
Paid maintainers are 55% more likely to implement critical security and maintenance practices than unpaid maintainers and are dedicating more time to implementing security practices like those included in industry standards like the OpenSSF Scorecard and the NIST Secure Software Development Framework (SSDF), according to Tidelift.
Open source is the modern application development platform, with up to 98% of applications containing open-source components and open-source code making up 70% or more of the average application. Yet the maintainers whose work is critical to the success of open source are being asked to do even more to ensure their projects are well maintained and secure, while 60% of them remain unpaid hobbyists.
Funding open-source maintainers boosts organizational security
Considering the increased attacks on the software supply chain, addressing the threat created by ignoring the needs of overworked, underappreciated, and underpaid maintainers should be a top priority for organizations relying on open-source software.
“The health and security of our global software infrastructure depends on open-source maintainers,” said Donald Fischer, CEO, Tidelift. “Paying maintainers improves their ability to ensure their projects meet the stringent security requirements that enterprise users require. These survey results show that organizations can positively impact their own security by funding the important work of the open-source maintainers whose projects they rely on.”
The top security practices implemented by paid maintainers include two-factor authentication (76% compared to 68% for unpaid maintainers), static code analysis (75% vs. 59%), providing fixes and recommendations for vulnerabilities (70% vs. 54%), security disclosure plan (66% vs. 43%), secrets management (58% vs. 39%), and signed release and published artifact provenance (50% vs. 28%).
The top maintenance practices implemented by paid maintainers include a formal policy around backwards compatibility (59% compared to 39% for unpaid maintainers), reproducible and verifiable build process (58% vs. 50%), code peer review process with multiple reviewers (53% vs. 27%), and a defined dependency management process (50% vs. 33%).
Many maintainers prefer to stay unpaid
Even with a larger sample of maintainers completing the survey compared to 2023, the percentage of maintainers who describe themselves as unpaid hobbyists stayed identical: 60%.
16% said they were unpaid hobbyists and would not want to get paid (compared to 14% in 2023), and 44% said they were unpaid hobbyists but would appreciate getting paid (compared to 46% in 2023).
It is concerning that the percentage of maintainers getting paid for their work hasn’t changed, especially in light of this year’s XZ Utils hack and with increased focus by both government and industry on the importance of securing the software supply chain.
25% report receiving income from donation programs, while for 24% of maintainers their open-source maintenance work is paid for as part of their salary because it is an explicit part of their job responsibilities.
Only a very small percentage of maintainers report receiving income from other sources, including 5% reporting direct payments or donations from companies (non employer) and another 5% reporting direct payments or donations from individuals.
Only 3% of open-source maintainers report that they have received income from open-source foundations.
Maintainers feel like they are not compensated enough
Only 1% of maintainers reported direct payments or donations from governments or other public entities.
When asked about the top things they dislike about being an open-source maintainer, the top response (50%) maintainers reported was not being financially compensated enough or at all for their work. 49% feel underappreciated or like the work is thankless, and 43% say that it adds to their personal stress.
Against that backdrop, it is probably unsurprising that 60% of maintainers have quit or considered quitting their maintenance work.
Across the board, the percentage of maintainers who are aware of industry standards and initiatives has grown since 2023. The initiative with the highest awareness among maintainers is the OpenSSF Scorecard project, with 40% of maintainers being aware of it, up from 28% in the previous survey. This is followed closely by the NIST SSDF, with 39% awareness, up from 26% in the previous survey.
More maintainers are also aware of the SLSA framework (23%) this year, compared to only 13% when asked about it in 2023. And in the first year including it, 17% were aware of the CISA Secure by Design pledge.
The percentage of maintainers that were not aware of any of these initiatives decreased from 52% in 2023 to 40% this year, as these initiatives continued to gain adoption and traction.
Maintainers are spending 3x more time on security
Maintainers now report they are spending almost 3x more time (11%) on security work than they reported in 2021 (4%). This is not surprising given that maintainers are seeing increasing demands for their time from enterprise users of their projects, security companies giving them more potential vulnerabilities to investigate, and pressure to comply with new security requirements and initiatives like the OpenSSF Scorecard project and the NIST Secure Software Development Framework, among others.
66% report that they are now less trusting of pull requests from non-maintainers in the wake of the XZ Utils hack. The XZ Utils hack has had less of an impact on maintainers relationships with their co-maintainers, as only 37% reported being less trusting of the contributions of their co-maintainers in the wake of the XZ Utils hack.
AI-based coding tools are thriving
The overall maintainer perception of the impact of AI-based coding tools on their work leaned negative, with 45% predicting that these tools will have a somewhat negative (22%) or extremely negative (23%) impact on their work.
64% would be less likely to review and accept contributions they knew were created using AI-based coding tools.
Younger maintainers are significantly more likely to be using AI-based coding tools. While 49% of all maintainers are using AI-based coding tools today, 71% under 26 years old and 58% between the ages of 26-35 are already using AI-based coding tools.
Maintainers shared a set of extremely compelling ideas for the types of open-source problems that could be solved using AI, and the top ideas were related to documentation, issue triage, code quality and review, and dependency management and security.
Must read:
- 20 free cybersecurity tools you might have missed
- 15 open-source cybersecurity tools you’ll wish you’d known earlier
- 20 essential open-source cybersecurity tools that save you time