security

How To Incentivize Open Source Maintainers for More Security – Spiceworks News and Insights


How can incentivizing maintainers improve your open source software security?

In the wake of several recent high-profile security vulnerabilities impacting open source software, many organizations are actively seeking new strategies to demonstrate and ensure that the critical open source dependencies they depend on stay secure and healthy. Donald Fischer of Tidelift explains how enterprises can upgrade their open source software security.

While many of these efforts focus on reactive strategies like scanning the software for vulnerabilities, that approach has one critical shortcoming: it can only identify known issues. Organizations seeking to make sure their open source software supply chain is secure should also explore ways to proactively ensure security vulnerabilities don’t make their way into the open source projects they depend on in the first place.

Understanding how to proactively improve open source health and security begins with understanding open source maintainers—the people who create the software we depend on and keep it up to date. But many organizations know very little about the people behind these projects and what motivates them.

60% Of Maintainers Are Unpaid Hobbyists

A recent survey of open source maintainers by our organization, Tidelift, found that 60% of maintainers describe themselves as unpaid hobbyists while only 13% describe themselves as professional maintainers who earn most or all of their income from their open source work.

60% of maintainers describe themselves as unpaid hobbyists

Source: TideliftOpens a new window