Dive Brief:

• Months after the social engineering campaign against XZ Utils, open source maintainers are under more pressure than ever to raise their security standards, but remain largely unpaid, according to a report from Tidelift released Tuesday. 
• The multiyear social engineering campaign targeting XZ Utils, a data compression software utility found in most Linux distributions, came to a head in late March after a suspected threat actor entered malicious code into the xz library. The suspected actor @JiaT75, which GitHub later suspended, spent years cultivating a trusted relationship with the legitimate maintainer of the library. 
• Maintainers are spending about three times as much on security as they did in previous years, Tidelift found, and many are asked to help search for vulnerabilities and comply with higher software security standards. About two-thirds of maintainers said they are less trusting of their contributors.

Dive Insight:

There's still a gap between the corporate demands on the open source community and what many see as a lack of reciprocity, the report shows.

Despite those increased compliance pressures, about 3 in 5 maintainers remain unpaid. About 44% of maintainers said they would like to get compensation, but thus far do not get paid, while 16% still call themselves unpaid hobbyists and are not asking for compensation. 

The Cybersecurity and Infrastructure Security Agency, the White House and other officials have promoted efforts to boost investment in open source security, but industry stakeholders say more is still needed.

“It’s unfortunate that in 2024, the year of the XZ Utils attempt to take advantage of an overworked volunteer maintainer, the majority of maintainers still consider themselves unpaid hobbyists,” Donald Fischer, co-founder and CEO of Tidelift, said via email. “The reason for this is actually quite simple: not enough organizations using open source have prioritized investing in the health and security of their open source software supply chain.”

Maintainers are more aware of industry efforts to boost security, compared with prior years. For example, 40% of respondents said they are aware of the OpenSSF Scorecard project, up from 28% a year ago, Tidelift found. 

Nearly 2 in 5 maintainers are aware of the NIST Secure Software Development Framework, up from 26% a year ago. 

Overall, maintainers said they are spending much more time and effort to ensure their projects are secure. 

“Yes, we do static analysis for insecure usage, run tests with warnings being turned to errors to move away from deprecated features,” said Seth Larson, open source maintainer of urllib3. 

Beyond putting more effort into quality control, maintainers are asking more questions of anyone contributing to a project. Larson said pull requests are based on content instead of origin. 

For example, Larson asks if co-maintainers have a public profile or past project contributions.

The open source community as a whole is sharing more information about potential threats. OSSF in May launched an early warning threat sharing platform, to inform the community about social engineering attempts and actively exploited vulnerabilities.