Despite increasing focus on open-source software security, the majority of maintainers continue to work without financial compensation, raising concerns about the sustainability of the ecosystem.
A recent report published by Tidelift reveals that 60% of open-source project maintainers do not receive any compensation for their work, highlighting the precarious nature of the open-source ecosystem. The survey, conducted among 400 maintainers in mid-2024, underscores the financial challenges many of these developers face, even as security concerns around open-source software continue to grow.
According to the report, 44% of maintainers identified as unpaid hobbyists who would like to be compensated for their work, while another 16% said they are unpaid hobbyists who prefer not to be paid. Only 12% reported earning their primary income from maintaining open-source projects, with another 24% earning some money through semi-professional work.
Precarity and Pressure in the Face of Security Risks
While open-source software has become more crucial, unpaid maintainers face challenges in sustaining their projects. A lack of resources limits the ability to implement necessary security measures, which is troubling in light of incidents like the XZ utils attack that exposed vulnerabilities in software supply chains.
The report also highlights that 61% of unpaid maintainers work alone, compared to 53% of paid maintainers, who typically have teams of two or more people to share the workload. This discrepancy in team size gives paid maintainers a clear advantage when it comes to tackling day-to-day maintenance and security issues.
Differences in Task Prioritization
The report reveals distinct differences in how paid and unpaid maintainers allocate their time. While unpaid maintainers tend to focus on adding new features to their projects, those receiving compensation dedicate more time to critical areas like security, day-to-day maintenance, and seeking funding or sponsorships.
Security practices also differ between the two groups. The most common security measure across both groups is two-factor authentication. However, paid maintainers are more likely to use advanced tools like static code analysis and develop clear vulnerability disclosure plans.
More Pay, More Time Dedicated to Open Source
As expected, the more maintainers are paid, the more time they can devote to their projects. According to the report, 82% of professional maintainers who rely on their open-source work for income spend over 20 hours a week maintaining their projects. In contrast, 78% of unpaid hobbyists spend ten hours or less per week on maintenance tasks.
Professional maintainers also have more resources to prioritize security vulnerabilities and implement new features, ensuring that projects remain robust and secure. The report indicates that 64% of professional maintainers can prioritize fixing vulnerabilities, compared to just 36% of semi-professionals.
The Payment Dilemma in Open Source
Another significant takeaway from the report is that maintainers overwhelmingly prefer recurring income over one-time payments. A striking 81% of those surveyed said they would rather have predictable monthly income, which allows them to plan their work and sustain projects over the long term. This preference underscores the importance of providing maintainers with a steady income to ensure the ongoing development and security of open-source software.
Gary Gregory, co-maintainer of high-profile projects like Apache Commons and Log4j, emphasized that recurring income provides a sense of security and allows for better planning. “Having recurring income lets you keep doing the work without feeling like you’re wasting your time,” Gregory stated, highlighting the difference between one-time grants and regular, dependable income.
Conclusion: Sustainability at Risk
Tidelift’s report underscores the fragility of the open-source maintenance model, where many developers are not adequately compensated for their work. As governments and organizations place increasing emphasis on software security, it is essential to rethink how open-source maintainers are supported, as their work underpins much of the global technology ecosystem.
While some open-source projects attract sponsors or funding, the majority still operate under a volunteer-based model, which may not be sustainable in the long term. With security incidents on the rise, such as the XZ utils hack, it’s clear that new approaches are needed to ensure that maintainers have the resources they need to continue developing and securing the open-source projects that so many businesses and users rely on every day.
