Tidelift Study Reveals Paid Open Source Maintainers Do Significantly More Critical Security and Maintenance Work Than Unpaid Maintainers

Tidelift, a provider of solutions for improving the security and resilience of the open source software powering modern applications, today released the 2024 state of the open source maintainer report, which provides insights into the work and mindset of open source maintainers, whose work is critical to the health and security of the software supply chain. The study revealed that paid maintainers are 55% more likely to implement critical security and maintenance practices than unpaid maintainers and are dedicating more time to implementing security practices like those included in industry standards like the OpenSSF Scorecard and the NIST Secure Software Development Framework (SSDF).

Also Read: How CFOs and CIOs are Collaborating to Drive IT ROI

“I feel the need to add a layer of vetting, but adding any additional layer of friction to a possible open source contributor would just scare them away. I cannot afford to be pushing people away.”

Open source is the modern application development platform, with up to 98% of applications containing open source components and open source code making up 70% or more of the average application. Yet the maintainers whose work is critical to the success of open source are being asked to do even more to ensure their projects are well maintained and secure all while 60% of them remain unpaid hobbyists. Against the backdrop of increased attacks on the software supply chain, addressing the threat created by ignoring the needs of overworked, underappreciated, and underpaid maintainers should be a top priority for organizations relying on open source software.

“The health and security of our global software infrastructure depends on open source maintainers,” said Donald Fischer, co-founder and CEO, Tidelift. “Paying maintainers improves their ability to ensure their projects meet the stringent security requirements that enterprise users require. These survey results show that organizations can positively impact their own security by funding the important work of the open source maintainers whose projects they rely on.”

More than 400 maintainers—the people who create and maintain open source software projects—shared details about their work, including how they fund it, who pays for it, and what kinds of security, maintenance, and documentation practices they have in place today or would consider in the future. They also shared their thoughts about current event issues like the recent XZ Utils scare and the impact of AI-based coding tools.

Key findings:

Paid maintainers implement more critical security and maintenance practices than unpaid maintainers.

• Nearly across the board, paid maintainers are 8-26 percentage points (or, on average 55%) more likely to implement many critical security and maintenance practices than unpaid maintainers.
• The top security practices implemented by paid maintainers include two-factor authentication (76% compared to 68% for unpaid maintainers), static code analysis (75% vs. 59%), providing fixes and recommendations for vulnerabilities (70% vs. 54%), security disclosure plan (66% vs. 43%), secrets management (58% vs. 39%), and signed release and published artifact provenance (50% vs. 28%).
• The top maintenance practices implemented by paid maintainers include a formal policy around backwards compatibility (59% compared to 39% for unpaid maintainers), reproducible and verifiable build process (58% vs. 50%), code peer review process with multiple reviewers (53% vs. 27%), and a defined dependency management process (50% vs. 33%).

60% of maintainers are (still) not paid for their work.

• Even with a larger sample of maintainers completing the survey compared to 2023, the percentage of maintainers who describe themselves as unpaid hobbyists stayed identical: 60%.
• Sixteen percent of maintainers said they were unpaid hobbyists and would not want to g******* (compared to 14% in 2023), and 44% said they were unpaid hobbyists but would appreciate getting paid (compared to 46% in 2023).
• It is concerning that the percentage of maintainers getting paid for their work hasn’t changed, especially in light of this year’s XZ Utils hack and with increased focus by both government and industry on the importance of securing the software supply chain.

For the maintainers who are being paid, the top three sources of income are donation programs, employers, and Tidelift.

• One-quarter of maintainers (25%) report receiving income from donation programs, while for 24% of maintainers their open source maintenance work is paid for as part of their salary because it is an explicit part of their job responsibilities. 19% of maintainers report receiving income from Tidelift.
• Only a very small percentage of maintainers report receiving income from other sources, including 5% reporting direct payments or donations from companies (non employer) and another 5% reporting direct payments or donations from individuals.
• Only 3% of maintainers report that they have received income from open source foundations, which has remained steady across all three surveys (it may be surprising that this percentage is not higher).
• Only 1% of maintainers reported direct payments or donations from governments or other public entities.

Also Read: Top Misconceptions Around Data Operations and Breaking Down the Role of a VP of Data Ops

About half of maintainers feel like they are not compensated enough, they are unappreciated, and the work is thankless.

• When asked about the top things they dislike about being an open source maintainer, the top response (50%) maintainers reported was not being financially compensated enough or at all for their work.
• Forty-eight percent of maintainers feel underappreciated or like the work is thankless, and 43% say that it adds to their personal stress.
• Against that backdrop, it is probably unsurprising that more than half (60%) of maintainers have quit or considered quitting their maintenance work.

More maintainers are aware of common industry security standards like the NIST SSDF and the OpenSSF Scorecard in 2024 than 2023.

• Across the board, the percentage of maintainers who are aware of industry standards and initiatives has grown since 2023. The initiative with the highest awareness among maintainers is the OpenSSF Scorecard project, with 40% of maintainers being aware of it, up from 28% in the previous survey. This is followed closely by the NIST SSDF, with 39% awareness, up from 26% in the previous survey.
• More maintainers are also aware of the SLSA framework (23%) this year, compared to only 13% when asked about it in 2023. And in the first year including it, 17% of maintainers were aware of the CISA Secure by Design pledge.
• The percentage of maintainers that were not aware of any of these initiatives decreased from 52% in 2023 to 40% this year, as these initiatives continued to gain adoption and traction.

Maintainers are spending 3x more time on security than they did a few years ago.

• Maintainers now report they are spending almost 3x more time (11%) on security work than they reported in 2021 (4%).
• This is not surprising given that maintainers are seeing increasing demands for their time from enterprise users of their projects, security companies giving them more potential vulnerabilities to investigate, and pressure to comply with new security requirements and initiatives like the OpenSSF Scorecard project and the NIST Secure Software Development Framework, among others.

In the wake of the XZ Utils hack, two-thirds of maintainers are less trusting of contributors.

• Two-thirds (66%) of maintainers report that they are now less trusting of pull requests from non-maintainers in the wake of the XZ Utils hack.
• The XZ Utils hack has had less of an impact on maintainers relationships with their co-maintainers, as only 37% reported being less trusting of the contributions of their co-maintainers in the wake of the XZ Utils hack.
• We asked maintainers to put their feelings into their own words, and as one maintainer said “I feel the need to add a layer of vetting, but adding any additional layer of friction to a possible open source contributor would just scare them away. I cannot afford to be pushing people away.”

AI-based coding tools are thriving, and maintainers have some valid concerns about the impact on their work.

• The overall maintainer perception of the impact of AI-based coding tools on their work leaned negative, with almost half (45%) of maintainers predicting that these tools will have a somewhat negative (22%) or extremely negative (23%) impact on their work.
• Two-thirds (64%) of maintainers would be less likely to review and accept contributions they knew were created using AI-based coding tools.
• Younger maintainers are significantly more likely to be using AI-based coding tools. While 49% of all maintainers are using AI-based coding tools today, 71% of maintainers under 26 years old and 58% of maintainers between the ages of 26-35 are already using AI-based coding tools.
• Maintainers shared a set of extremely compelling ideas for the types of open source problems that could be solved using AI, and the top ideas were related to documentation, issue triage, code quality and review, and dependency management and security.

[To share your insights with us as part of editorial or sponsored content, please write to psen@itechseries.com]