Skip to main content
close search
site logo

Most open source maintainers still consider themselves hobbyists, despite compensation pledges

A study by Tidelift shows a compensation gap for the key producers of open source applications, raising questions about how to properly secure software supply chains.

Published May 2, 2023
David Jones's headshot
Reporter
Close-up Focus on Person's Hands Typing on the Desktop Computer Keyboard
gorodenkoff via Getty Images

Despite a major push to strengthen the security of the software supply chain, a report released Tuesday from Tidelift shows more than 60% of open source maintainers describe themselves as unpaid hobbyists.

The report highlights a continued gap between the use of open source software by government and private industry and the lack of compensation for the workforce behind those projects. 

Only 13% of the 300 maintainers surveyed consider themselves professional maintainers who derive most of their income from open source project work. About 23% call themselves semi-professional, deriving some of their earnings from maintaining projects. 

Open source is widely used by federal agencies and enterprise users, however without the ability to properly compensate maintainers it remains extremely difficult to screen applications for vulnerabilities. 

The report comes just two months following the release of the national cybersecurity strategy, a comprehensive road map to build a more resilient technology infrastructure across the U.S. in order to protect millions of consumers and critical industries from malicious hackers and other threats to data security. 

Between 70% to 90%  of modern commercial software includes open source components, which means the only way to secure most modern applications would require open source software to meet higher security standards. 

However, unpaid maintainers do not have the time nor the resources to bolster that security under existing compensation models. 

Tidelift CEO Donald Fischer said there is a pretty straightforward way to move forward. The industry needs to provide them with both the “income and process support and the assistance to go apply these secure development standards to their projects,” Fischer said.

The Log4j vulnerability highlighted an equity crisis where wealthy stakeholders from Silicon Valley generate billions of dollars in profits off the back of open source developers, but have previously failed to make the necessary investments to properly compensate these workers for their time and efforts.

Editors' picks

Company Announcements

View all | Post a press release
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Editors' picks
Latest in Strategy
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell